Re: about Wedgelayer 3.5 / Fat IP approaches

[Erik Nordmark <Erik.Nordmark@sun.com>]

> - for the initiator, you use an ephemeral id. In this case, you don't 
> need to worry about all the threats, since the ephemeral id won't be 
> valid for following communications. Basically, the only thing you need 
> to worry about is that the endpoint that is communicating remains the 
> same. You don't worry about id hijacking since the id is ephemeral (so 
> it will become meaningless in a short while)

I think it is the FCFS per-peer allocation of the ephemeral ID that matters.
Basically you don't need to worry about premeditated redirection attacks
because, should a node discover that "its" ID is being used by somebody else
at a particular peer, it can just invent a new empeheral ID and try that one.

Thus WIMP doesn't require that the ID be renewed at any particular frequency;
an ephemeral ID might be used for years. But due to the FCFS property
a new ID might be allocated any time some new communication is attempted.
For all I know the node can continue to use the previous ID when communicating
with other peers long after the conflict had been detected at a particular
peer.

> Now, you are proposing to use long lived ids for the initiator as well. 
> In this case, you solve the refferal problem, but the price is that you 
> now have to consider all the threats that you were not considering when 
> using ephemeral ids. So you need a mechanism to prove the initiator'r 
> id ownership. In other words, imho hash chains are not enough in this 
> case, and you need something else. NOID uses the DNS, HIP uses the 
> crypto nature of its ids, what would be the mechanisms here for this?

Don't know yet. One could potentially do the union of all of the above
(yes, complexity alarms are ringing - but I still want to understand this
stuff and see how bad it would be) including exploring weaker approaches
like RR.

  Erik