[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: addition of TLV to locator ID or locator ID set

To: paul@clubi.ie, shim6-wg <shim6@psg.com>
Subject: Re: addition of TLV to locator ID or locator ID set
From: Jari Arkko <jari.arkko@piuha.net>
Date: Mon, 03 Oct 2005 18:32:05 +0300
Cc: Iljitsch van Beijnum <iljitsch@muada.com>
In-reply-to: <Pine.LNX.4.63.0510031333220.11479@sheen.jakma.org>
References: <Pine.GSO.4.20.0509221614300.28499-100000@meno.corp.us.uu.net> <Pine.LNX.4.63.0509230228280.3483@sheen.jakma.org> <433986D8.1080603@zurich.ibm.com> <Pine.LNX.4.63.0509281225470.3722@sheen.jakma.org> <599A3AB3-F21C-4E51-B705-101AC56DA569@tony.li> <EBB90B1D-5643-4CB7-BA1F-3701ADABC011@muada.com> <35E4CEA9-5D03-4F52-8394-E8E74B08F670@tony.li> <01a901c5c479$40af14b0$8b010a0a@china.huawei.com> <433BCDCD.2020401@zurich.ibm.com> <Pine.LNX.4.63.0509291332290.3722@sheen.jakma.org> <433C2B37.106@sun.com> <Pine.LNX.4.63.0509302106470.11479@sheen.jakma.org> <1b0d973b0bf507b3e238adfbc0f04725@it.uc3m.es> <Pine.LNX.4.63.0510021632580.11479@sheen.jakma.org> <952e6116b66282481d0589f3e82e465c@it.uc3m.es> <Pine.LNX.4.63.0510030859000.11479@sheen.jakma.org> <A2A9BD5D-4BF6-4351-B0B2-AD65FF85CDD5@muada.com> <Pine.LNX.4.63.0510031333220.11479@sheen.jakma.org>
User-agent: Mozilla Thunderbird 1.0 (X11/20041206)

CGA simply ties a public key / certificate to an address. This key orcertificate can then be used to authenticate further exchanges so anattacker can't successfully inject shim signalling.
That's the same thing you could achieve with anonymous IPSec. (Though,IPSec associates state with a 'security association' rather thanaddress, which could be more fine-grained than CGA). It's an anonymouskey either way, unless there is some other way to verify theauthenticity of a key and what it may be used for / who it is issuedfor (who in terms of IP addresses). ,


This discussion is somewhat hard, because there are different
interpretations of what anonymous IPsec is. In some cases its
an anonymous encryption scheme which does nothing more than
prevent wholesale traffic interception. In some other cases its
a leap-of-faith scheme to establish a binding between an address
(or selectors) and a key. Or we could be talking about MOBIKE,
which enables the movement and multihoming of a tunnel
endpoint.

Nevertheless, as far as I know, there is no IPsec variant that
provides what CGA does, i.e., establish a secure relationship
from an address to a key. Or what HBA does, establish a secure
relationship between addresses. Anonymous IPsec can be made to
provide a secure relationship from a key to an address, but that's not
the same thing, because its not a bidirectional relationship. Anonymous
IPsec, as defined in draft-williams-btns-00.txt can be used to
lock keys and addresses together, but this can only be used in
a very limited manner as there's a DoS problem when someone
accidentally or maliciously locks an address that you would
need to use.

This is not to say that IPsec couldn't work for this. It can,
particularly in specific applications. For instance, MOBIKE
works because it deals only with VPN tunnel endpoints of an
established security association, and does not add any
means to grab someone else's traffic inside the moving
or multihoming tunnel.

--Jari

References:
- Re: addition of TLV to locator ID or locator ID set
  - From: "Jason Schiller (schiller@uu.net)" <jason.schiller@mci.com>
- Re: addition of TLV to locator ID or locator ID set
  - From: Paul Jakma <paul@clubi.ie>
- Re: addition of TLV to locator ID or locator ID set
  - From: Brian E Carpenter <brc@zurich.ibm.com>
- Re: addition of TLV to locator ID or locator ID set
  - From: Paul Jakma <paul@clubi.ie>
- Re: addition of TLV to locator ID or locator ID set
  - From: Tony Li <tony.li@tony.li>
- Re: addition of TLV to locator ID or locator ID set
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- Re: addition of TLV to locator ID or locator ID set
  - From: Tony Li <tony.li@tony.li>
- Re: addition of TLV to locator ID or locator ID set
  - From: "Spencer Dawkins" <spencer@mcsr-labs.org>
- Re: addition of TLV to locator ID or locator ID set
  - From: Brian E Carpenter <brc@zurich.ibm.com>
- Re: addition of TLV to locator ID or locator ID set
  - From: Paul Jakma <paul@clubi.ie>
- Re: addition of TLV to locator ID or locator ID set
  - From: Erik Nordmark <erik.nordmark@sun.com>
- Re: addition of TLV to locator ID or locator ID set
  - From: Paul Jakma <paul@clubi.ie>
- Re: addition of TLV to locator ID or locator ID set
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>
- Re: addition of TLV to locator ID or locator ID set
  - From: Paul Jakma <paul@clubi.ie>
- Re: addition of TLV to locator ID or locator ID set
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>
- Re: addition of TLV to locator ID or locator ID set
  - From: Paul Jakma <paul@clubi.ie>
- Re: addition of TLV to locator ID or locator ID set
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- Re: addition of TLV to locator ID or locator ID set
  - From: Paul Jakma <paul@clubi.ie>

Prev by Date: Re: addition of TLV to locator ID or locator ID set
Next by Date: Re: addition of TLV to locator ID or locator ID set
Previous by thread: Re: addition of TLV to locator ID or locator ID set
Next by thread: Re: addition of TLV to locator ID or locator ID set
Index(es):
- Date
- Thread