[Resending. My emails don't seem to make it to this list...]
Worthwhile to note: By "un-spoofable" above I mean securely verifiable on a per-packet basis. This is substantially harder than host-to- hostverifiability. E.g., a HIP host identity tag is cryptographically verifiable by the communicating hosts, but it cannot be securely verified by filters (or other middleboxes).Why? Can you explain more? Due to the usage of the base exchange?
Correct. For a middlebox to securely perform a packet-level action (such as filtering) based on the ID of a packet, the ID in the packet would have to be securely verifiable based on information carried in the same packet. There is technology [1] that provides such per-packet information, but most ID/locator split solutions do not. - Christian [1] Packet Level Authentication project at Helsinki Institute of Technology, http://www.tcs.hut.fi/Software/PLA/new/ -- to unsubscribe send a message to rrg-request@psg.com with the word 'unsubscribe' in a single line as the message text body. archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg