[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: addition of TLV to locator ID or locator ID set

To: marcelo bagnulo braun <marcelo@it.uc3m.es>
Subject: Re: addition of TLV to locator ID or locator ID set
From: Paul Jakma <paul@clubi.ie>
Date: Sun, 2 Oct 2005 16:59:17 +0100 (IST)
Cc: Erik Nordmark <erik.nordmark@sun.com>, Brian E Carpenter <brc@zurich.ibm.com>, Spencer Dawkins <spencer@mcsr-labs.org>, shim6-wg <shim6@psg.com>
In-reply-to: <1b0d973b0bf507b3e238adfbc0f04725@it.uc3m.es>
Mail-copies-to: paul@hibernia.jakma.org
References: <Pine.GSO.4.20.0509221614300.28499-100000@meno.corp.us.uu.net> <Pine.LNX.4.63.0509230228280.3483@sheen.jakma.org> <433986D8.1080603@zurich.ibm.com> <Pine.LNX.4.63.0509281225470.3722@sheen.jakma.org> <599A3AB3-F21C-4E51-B705-101AC56DA569@tony.li> <EBB90B1D-5643-4CB7-BA1F-3701ADABC011@muada.com> <35E4CEA9-5D03-4F52-8394-E8E74B08F670@tony.li> <01a901c5c479$40af14b0$8b010a0a@china.huawei.com> <433BCDCD.2020401@zurich.ibm.com> <Pine.LNX.4.63.0509291332290.3722@sheen.jakma.org> <433C2B37.106@sun.com> <Pine.LNX.4.63.0509302106470.11479@sheen.jakma.org> <1b0d973b0bf507b3e238adfbc0f04725@it.uc3m.es>
Reply-to: shim6-wg <shim6@psg.com>, paul@clubi.ie

On Sun, 2 Oct 2005, marcelo bagnulo braun wrote:

IMHO, what would be not so hard to support would be that sourceaddress prefixes get rewritten by the exit routers as long as thethe security stuff remains end to end i.e. the hosts are the onesthat define the HBA/CGA sets and perform the security validation.That is basically offloading the source address selection to therouter, but the remining parts of the shim are still in the hosts.

That depends I guess on whether the HBA stuff tries to use more thanthe 64bits of lower-order address space reserved for the host. If itconfined itself to that, it could work. If HBA wants to affect thehigher order 64 bits, that would have implications for how to assignsuch addresses.

The HBA draft seems to suggest it confines itself to the 'interfaceidentifier' though. (In which case, you just need a way to make theavailable-prefixes known to the hosts, to allow them to construct theHBA identifier).

The problem here is how do you bind the key that is used in IPSec with theidentifier used.

If you don't provide a security binding, then an atacker can provide its ownkey and bind it to the victim's identifier, so no good.

The options to provide a secure binding are:
- a third trusted party i.e. PKI
- create the identifer so that it intrinsically contains key information i.e.CGA/HBA
because of the deployment issues, the second option seems more attractive

But you still have the issue of distributing the HBA public key, no?Otherwise the only thing HBA can prove is that the /first/ host whichcommunicated with you using some HBA address does not have itsaddresses subverted, right? Further, you will have to put a limit onhow long a host remembers state (or, on the number of remote HBAhosts it may keep state for). Once that state goes, so the windowopens up for the HBA concerned to be redirected, surely?


There's no difference between that and anonymous IPSec, is there?

IPSec however was designed to be able to be extensible and cope withlots of different algorithms and key exchange schemas. You'd have toreinvent all that to make HBA cope, plus you're limited to 128 bitsof information, if you want to use only the IPv6 address as theidentifier. (what about replay attacks? :) ).

Way I see it, as long as Shim state changes can not be effected withordinary shimmed packets, as long as state changes (eg,addition/removal of locators) can only be signaled via some side-bandShim protocol[1] then you only need to secure that side-band. IPSec(the standardised, deployed and agreed on IETF security protocol forIP..) will do fine for that and provide security ranging fromanonymous to more trustworthy schemes.

Mind you, I still don't really fully grok HBA - what critical detailam i missing?

regards, marcelo


regards,
--
Paul Jakma	paul@clubi.ie	paul@jakma.org	Key ID: 64A2FF6A
Fortune:
Goda's Truism:
	By the time you get to the point where you can make ends meet,
	somebody moves the ends.

Follow-Ups:
- Re: addition of TLV to locator ID or locator ID set
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>

References:
- Re: addition of TLV to locator ID or locator ID set
  - From: "Jason Schiller (schiller@uu.net)" <jason.schiller@mci.com>
- Re: addition of TLV to locator ID or locator ID set
  - From: Paul Jakma <paul@clubi.ie>
- Re: addition of TLV to locator ID or locator ID set
  - From: Brian E Carpenter <brc@zurich.ibm.com>
- Re: addition of TLV to locator ID or locator ID set
  - From: Paul Jakma <paul@clubi.ie>
- Re: addition of TLV to locator ID or locator ID set
  - From: Tony Li <tony.li@tony.li>
- Re: addition of TLV to locator ID or locator ID set
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- Re: addition of TLV to locator ID or locator ID set
  - From: Tony Li <tony.li@tony.li>
- Re: addition of TLV to locator ID or locator ID set
  - From: "Spencer Dawkins" <spencer@mcsr-labs.org>
- Re: addition of TLV to locator ID or locator ID set
  - From: Brian E Carpenter <brc@zurich.ibm.com>
- Re: addition of TLV to locator ID or locator ID set
  - From: Paul Jakma <paul@clubi.ie>
- Re: addition of TLV to locator ID or locator ID set
  - From: Erik Nordmark <erik.nordmark@sun.com>
- Re: addition of TLV to locator ID or locator ID set
  - From: Paul Jakma <paul@clubi.ie>
- Re: addition of TLV to locator ID or locator ID set
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>

Prev by Date: Re: addition of TLV to locator ID or locator ID set
Next by Date: Re: addition of TLV to locator ID or locator ID set
Previous by thread: Re: addition of TLV to locator ID or locator ID set
Next by thread: Re: addition of TLV to locator ID or locator ID set
Index(es):
- Date
- Thread