[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RRG] On "jack-down" models

To: Scott Brim <swb@employees.org>
Subject: Re: [RRG] On "jack-down" models
From: Pekka Nikander <pekka.nikander@nomadiclab.com>
Date: Thu, 27 Mar 2008 17:37:40 +0200
Cc: tony.li@tony.li, "'Routing Research Group'" <rrg@psg.com>
In-reply-to: <47EBB6B4.1090100@employees.org>
References: <007101c88746$512d1a70$6e00a8c0@ad.redback.com> <47DDC084.8050708@employees.org> <E3B46518-B342-4C75-A0EF-F405A8A45233@nomadiclab.com> <47EBB6B4.1090100@employees.org>

Scott,

[Jack down] has obvious security implications which will, ineffect, require a security association between hosts. Thatsecurity association effectively requires some security token(e.g., a public-private key pair used to compute a session key)so that the correspondent host can be assured that the componentconnections are indeed related. This security token is, for allintents and purposes, a host identifier.
I question the very last step. The various multiplexed transportlayer connections are unified by something at or above theirlevel. Therefore an identification/authentication mechanism tounify them could be, perhaps should be, at a higher layer. Itcould be a transport-layer identity for the entire host, butcertainly doesn't need to be. In fact I don't see a*requirement* for a network-layer or even transport-layeridentity to be used in end-to-end authentication (routing yes).
While I can easily see architectures where such network-layer ortransport-layer identities do not exist, especially the network-layer ones are quite useful.
Specifically, network-layer host-to-host identifiers make a) host-based mobility and b) host-based multi-homing (aka multi-access)easier especially in the multi-operator (roaming) situations.However, for such use the network-layer identifiers can be bothanonymous (not bound to a real-world identity) and ephemeral.They need to be cryptographically relatively strong, though, i.e.at least composed of several tokens or, preferably, based on hashchains or shared secrets.
This feels circular.

Hmm. What do you mean with that? Perhaps one key insight here is tomake a distinction between identity and identifier. It is wellpossible to continue to identify an entity even when the identifiersare not constant. For one particular approach, see [1]

Specifically how does a network-layer ID make host-based mobilityand multihoming easier? I'm wondering about the real need. Yes,you need some kind of ID -- does the ID need to be a general one atthe network layer? It would seem that the naming need is in higherlayers, not at the network layer per se.

It makes it easier by aligning the physical mobility granularity andthe signalling granularity.

In general, if you want to make mobility signalling efficient, youhave to make sure that:

1. There is a single anchor point through which all the traffic flowsduring the mobility event (the traffic can flow over more optimalroute before and afterwards). Consider FMIP as a (convoluted)example. There the previous AR acts as such anchor point.

2. The only _fast_ signalling needed is between the mobile entity andthe anchor point. That is, other signalling such as using moreoptimal routes etc. should be able to wait.

3. Pick the topological location of the anchor point in such a waythat you minimise the sum of your latencies both at the old and thenew location.

(Perhaps I should write up the insight above into some publication/draft?)

Deriving from that, if your identifier (static or sequence) uniquelyidentifies the moving entity (e.g. host or subnet), you can minimisethe signalling required at the time of the mobility event. (In somecases you can make with "null" signalling, i.e., from an informationtheoretic point of view you need no extra bits for the mobility eventonce you've set the scene in a suitable way.)

On the other hand, if you have multiple identifiers in the movingentity, you will need more signalling. Of course, if thoseidentifiers are delegable, you can delegate the signalling rights toanother identifier and circumvent the inefficiency. [2]

When a host works from multiple IP addresses (either serially orsimultaneously), which functions need to know that this is in factthe same host? It's for service continuity. The IP layer doesn'tcare. Transport might care but won't know how to use the knowledgeeffectively. (E2E principle within a general-purpose stack.)


I agree (to an extent) [3].

It used to be obvious to us that a network-layer node name wasimportant, but I get the feeling that times have changed andidentifiers are more important higher up the stack.


I agree, with the exception of the efficiency point above.

--Pekka

[1] Jari Arkko, Pekka Nikander, and Mats Näslund, "Enhancing Privacywith Shared Pseudo Random Sequences," in Security Protocols, 13rdInternational Workshop, Cambridge, 20-22 April, 2005.[2] Pekka Nikander and Jari Arkko, "Delegation of Signalling Rights,"in Security Protocols, 10th International Workshop, Cambridge, UK,April 16-19, 2002, LCNS 2845, pp. 203-212, Springer, 2003.[3] Tuomas Aura, Pekka Nikander, and Gonzalo Camarillo, "Effects ofMobility and Multihoming on Transport-Layer Security," in Proceedingsof IEEE Symposium on Security and Privacy, Berkeley/Oakland,California, May 9-12, 2004, IEEE Computer Society.




--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg

References:
- [RRG] On "jack-down" models
  - From: "Tony Li" <tony.li@tony.li>
- Re: [RRG] On "jack-down" models
  - From: Scott Brim <swb@employees.org>
- Re: [RRG] On "jack-down" models
  - From: Pekka Nikander <pekka.nikander@nomadiclab.com>
- Re: [RRG] On "jack-down" models
  - From: Scott Brim <swb@employees.org>

Prev by Date: RE: [RRG] On "jack-down" models
Next by Date: Re: [RRG] On "jack-down" models
Previous by thread: RE: [RRG] On "jack-down" models
Next by thread: RE: [RRG] On "jack-down" models
Index(es):
- Date
- Thread