[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: addition of TLV to locator ID or locator ID set

To: Paul Jakma <paul@clubi.ie>
Subject: Re: addition of TLV to locator ID or locator ID set
From: Jari Arkko <jari.arkko@piuha.net>
Date: Mon, 03 Oct 2005 18:42:42 +0300
Cc: shim6-wg <shim6@psg.com>
In-reply-to: <Pine.LNX.4.63.0510031624100.11479@sheen.jakma.org>
References: <Pine.GSO.4.20.0509221614300.28499-100000@meno.corp.us.uu.net> <433986D8.1080603@zurich.ibm.com> <Pine.LNX.4.63.0509281225470.3722@sheen.jakma.org> <599A3AB3-F21C-4E51-B705-101AC56DA569@tony.li> <EBB90B1D-5643-4CB7-BA1F-3701ADABC011@muada.com> <35E4CEA9-5D03-4F52-8394-E8E74B08F670@tony.li> <01a901c5c479$40af14b0$8b010a0a@china.huawei.com> <433BCDCD.2020401@zurich.ibm.com> <Pine.LNX.4.63.0509291332290.3722@sheen.jakma.org> <433C2B37.106@sun.com> <Pine.LNX.4.63.0509302106470.11479@sheen.jakma.org> <1b0d973b0bf507b3e238adfbc0f04725@it.uc3m.es> <Pine.LNX.4.63.0510021632580.11479@sheen.jakma.org> <952e6116b66282481d0589f3e82e465c@it.uc3m.es> <Pine.LNX.4.63.0510030859000.11479@sheen.jakma.org> <b3c2d68a0895cbfc08febf117b9c619e@it.uc3m.es> <Pine.LNX.4.63.0510031054080.11479@sheen.jakma.org> <ad357836c9f76cf7dedd7cf025607878@it.uc3m.es> <Pine.LNX.4.63.0510031435200.11479@sheen.jakma.org> <43414AF1.7080008@piuha.net> <Pine.LNX.4.63.0510031624100.11479@sheen.jakma.org>
User-agent: Mozilla Thunderbird 1.0 (X11/20041206)

Right, and the protocol we have for key data exchange is IKE.


Well... not really. I at least tend to think of security problems
as somewhat application specific. We've certainly tried on many
occasions to use an underlying IPsec/IKE security model to do
things beyond basic VPN. However, in my experience this
has most often failed. See http://www.arkko.com/publications/SWP03.pdf
for a discussion of some of these cases.

At which point you may possibly just want to use IPSec AH to securethe traffic. Would I be correct in thinking that only advantage CGAfor such off-link authentication would be saving packet-data overheadof the AH header?


No. There were, in fact, a number of other fundamental issues that
led to the selection of CGA-in-ND-options approach in SEND over
AH-enhanced-with-CGA. These issues had to do with the
division of work within a stack, the expressive power of policy
entries, co-existence with non-SEND devices, mismatch between
provided and expected models (e.g. number of parties), and so
on.

--Jari

Follow-Ups:
- Re: addition of TLV to locator ID or locator ID set
  - From: Paul Jakma <paul@clubi.ie>

References:
- Re: addition of TLV to locator ID or locator ID set
  - From: "Jason Schiller (schiller@uu.net)" <jason.schiller@mci.com>
- Re: addition of TLV to locator ID or locator ID set
  - From: Brian E Carpenter <brc@zurich.ibm.com>
- Re: addition of TLV to locator ID or locator ID set
  - From: Paul Jakma <paul@clubi.ie>
- Re: addition of TLV to locator ID or locator ID set
  - From: Tony Li <tony.li@tony.li>
- Re: addition of TLV to locator ID or locator ID set
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- Re: addition of TLV to locator ID or locator ID set
  - From: Tony Li <tony.li@tony.li>
- Re: addition of TLV to locator ID or locator ID set
  - From: "Spencer Dawkins" <spencer@mcsr-labs.org>
- Re: addition of TLV to locator ID or locator ID set
  - From: Brian E Carpenter <brc@zurich.ibm.com>
- Re: addition of TLV to locator ID or locator ID set
  - From: Paul Jakma <paul@clubi.ie>
- Re: addition of TLV to locator ID or locator ID set
  - From: Erik Nordmark <erik.nordmark@sun.com>
- Re: addition of TLV to locator ID or locator ID set
  - From: Paul Jakma <paul@clubi.ie>
- Re: addition of TLV to locator ID or locator ID set
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>
- Re: addition of TLV to locator ID or locator ID set
  - From: Paul Jakma <paul@clubi.ie>
- Re: addition of TLV to locator ID or locator ID set
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>
- Re: addition of TLV to locator ID or locator ID set
  - From: Paul Jakma <paul@clubi.ie>
- Re: addition of TLV to locator ID or locator ID set
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>
- Re: addition of TLV to locator ID or locator ID set
  - From: Paul Jakma <paul@clubi.ie>
- Re: addition of TLV to locator ID or locator ID set
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>
- Re: addition of TLV to locator ID or locator ID set
  - From: Paul Jakma <paul@clubi.ie>
- Re: addition of TLV to locator ID or locator ID set
  - From: Jari Arkko <jari.arkko@piuha.net>
- Re: addition of TLV to locator ID or locator ID set
  - From: Paul Jakma <paul@clubi.ie>

Prev by Date: Re: addition of TLV to locator ID or locator ID set
Next by Date: Re: addition of TLV to locator ID or locator ID set
Previous by thread: Re: addition of TLV to locator ID or locator ID set
Next by thread: Re: addition of TLV to locator ID or locator ID set
Index(es):
- Date
- Thread