[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: TASL
Erik Nordmark wrote:
Since the protocol exchange is protected by TLS, we are certain
that no 3rd party has injected bogus locators or been able to
observe the locator exchange. Thus, whichever host initially
responded to locator ULID2 is the only one able to send and receive
news of alternative locators, and only to the host that initially
used locator ULID1. This seems to cover a lot of the multihoming
threats.
This assumes that the responder has a certificate?
What is the binding between that certificate and the identity of the
responder? Based on the FQDN matching, or based on having IP address(es)
in the certificate?
Personally I'd rather avoid any DNS dependence so maybe it has to be
address based... but I'm too tired to think very clearly tonight...
Assuming we worry about pre-meditated attacks (aka time-shifting attacks)
we do need a reasonably strong binding between the cert and the responder.
Yes
Note that this is all a one-way solution as far as the ULP is concerned.
If ULP packets come back from host 2 to host 1, the whole thing is
repeated independently in the reverse direction.
Does this mean that a separate tls session is established in the reverse
direction?
In the general case I think so, but it might be possible to optimize
it out in many cases.
Would the initiator of the communication need a TLS certificate?
That seems likely to be necessary.
The idea is half baked of course - I just wanted it on the table in
case it has any merit.
Brian
- References:
- Re: TASL
- From: Erik Nordmark <Erik.Nordmark@sun.com>