[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [RRG] On "jack-down" models
Scott,
[Jack down] has obvious security implications which will, in
effect, require a security association between hosts. That
security association effectively requires some security token
(e.g., a public-private key pair used to compute a session key)
so that the correspondent host can be assured that the component
connections are indeed related. This security token is, for all
intents and purposes, a host identifier.
I question the very last step. The various multiplexed transport
layer connections are unified by something at or above their
level. Therefore an identification/authentication mechanism to
unify them could be, perhaps should be, at a higher layer. It
could be a transport-layer identity for the entire host, but
certainly doesn't need to be. In fact I don't see a
*requirement* for a network-layer or even transport-layer
identity to be used in end-to-end authentication (routing yes).
While I can easily see architectures where such network-layer or
transport-layer identities do not exist, especially the network-
layer ones are quite useful.
Specifically, network-layer host-to-host identifiers make a) host-
based mobility and b) host-based multi-homing (aka multi-access)
easier especially in the multi-operator (roaming) situations.
However, for such use the network-layer identifiers can be both
anonymous (not bound to a real-world identity) and ephemeral.
They need to be cryptographically relatively strong, though, i.e.
at least composed of several tokens or, preferably, based on hash
chains or shared secrets.
This feels circular.
Hmm. What do you mean with that? Perhaps one key insight here is to
make a distinction between identity and identifier. It is well
possible to continue to identify an entity even when the identifiers
are not constant. For one particular approach, see [1]
Specifically how does a network-layer ID make host-based mobility
and multihoming easier? I'm wondering about the real need. Yes,
you need some kind of ID -- does the ID need to be a general one at
the network layer? It would seem that the naming need is in higher
layers, not at the network layer per se.
It makes it easier by aligning the physical mobility granularity and
the signalling granularity.
In general, if you want to make mobility signalling efficient, you
have to make sure that:
1. There is a single anchor point through which all the traffic flows
during the mobility event (the traffic can flow over more optimal
route before and afterwards). Consider FMIP as a (convoluted)
example. There the previous AR acts as such anchor point.
2. The only _fast_ signalling needed is between the mobile entity and
the anchor point. That is, other signalling such as using more
optimal routes etc. should be able to wait.
3. Pick the topological location of the anchor point in such a way
that you minimise the sum of your latencies both at the old and the
new location.
(Perhaps I should write up the insight above into some publication/
draft?)
Deriving from that, if your identifier (static or sequence) uniquely
identifies the moving entity (e.g. host or subnet), you can minimise
the signalling required at the time of the mobility event. (In some
cases you can make with "null" signalling, i.e., from an information
theoretic point of view you need no extra bits for the mobility event
once you've set the scene in a suitable way.)
On the other hand, if you have multiple identifiers in the moving
entity, you will need more signalling. Of course, if those
identifiers are delegable, you can delegate the signalling rights to
another identifier and circumvent the inefficiency. [2]
When a host works from multiple IP addresses (either serially or
simultaneously), which functions need to know that this is in fact
the same host? It's for service continuity. The IP layer doesn't
care. Transport might care but won't know how to use the knowledge
effectively. (E2E principle within a general-purpose stack.)
I agree (to an extent) [3].
It used to be obvious to us that a network-layer node name was
important, but I get the feeling that times have changed and
identifiers are more important higher up the stack.
I agree, with the exception of the efficiency point above.
--Pekka
[1] Jari Arkko, Pekka Nikander, and Mats Näslund, "Enhancing Privacy
with Shared Pseudo Random Sequences," in Security Protocols, 13rd
International Workshop, Cambridge, 20-22 April, 2005.
[2] Pekka Nikander and Jari Arkko, "Delegation of Signalling Rights,"
in Security Protocols, 10th International Workshop, Cambridge, UK,
April 16-19, 2002, LCNS 2845, pp. 203-212, Springer, 2003.
[3] Tuomas Aura, Pekka Nikander, and Gonzalo Camarillo, "Effects of
Mobility and Multihoming on Transport-Layer Security," in Proceedings
of IEEE Symposium on Security and Privacy, Berkeley/Oakland,
California, May 9-12, 2004, IEEE Computer Society.
--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg