[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RRG] Renumbering... ACLs etc.



[Resending.  My emails don't seem to make it to this list...]

Worthwhile to note: By "un-spoofable" above I mean securely verifiable on a per-packet basis. This is substantially harder than host-to- host
verifiability.  E.g., a HIP host identity tag is cryptographically
verifiable by the communicating hosts, but it cannot be securely
verified by filters (or other middleboxes).

Why? Can you explain more? Due to the usage of the base exchange?


Correct.  For a middlebox to securely perform a packet-level action
(such as filtering) based on the ID of a packet, the ID in the packet
would have to be securely verifiable based on information carried in
the same packet.  There is technology [1] that provides such
per-packet information, but most ID/locator split solutions do not.

- Christian


[1] Packet Level Authentication project at Helsinki Institute of
    Technology, http://www.tcs.hut.fi/Software/PLA/new/



--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg