[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RRG] Renumbering... ACLs etc.

To: Xu Xiaohu <xuxh@huawei.com>
Subject: Re: [RRG] Renumbering... ACLs etc.
From: Christian Vogt <christian.vogt@nomadiclab.com>
Date: Wed, 20 Aug 2008 04:41:55 -0700
Cc: 'Tony Li' <tony.li@tony.li>, 'Iljitsch van Beijnum' <iljitsch@muada.com>, 'Robin Whittle' <rw@firstpr.com.au>, 'Routing Research Group Mailing List' <rrg@psg.com>
In-reply-to: <002101c901a0$78517810$640c6f0a@china.huawei.com>
References: <002101c901a0$78517810$640c6f0a@china.huawei.com>

[Resending.  My emails don't seem to make it to this list...]

Worthwhile to note: By "un-spoofable" above I mean securelyverifiableon a per-packet basis. This is substantially harder than host-to-host
verifiability.  E.g., a HIP host identity tag is cryptographically
verifiable by the communicating hosts, but it cannot be securely
verified by filters (or other middleboxes).
Why? Can you explain more? Due to the usage of the base exchange?



Correct.  For a middlebox to securely perform a packet-level action
(such as filtering) based on the ID of a packet, the ID in the packet
would have to be securely verifiable based on information carried in
the same packet.  There is technology [1] that provides such
per-packet information, but most ID/locator split solutions do not.

- Christian


[1] Packet Level Authentication project at Helsinki Institute of
    Technology, http://www.tcs.hut.fi/Software/PLA/new/



--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg

References:
- re: [RRG] Renumbering... ACLs etc.
  - From: Xu Xiaohu <xuxh@huawei.com>

Prev by Date: [RRG] PI as a non-requirement
Next by Date: Re: [RRG] PI as a non-requirement
Previous by thread: re: [RRG] Renumbering... ACLs etc.
Next by thread: RE: [RRG] Renumbering... ACL alternatives?
Index(es):
- Date
- Thread