Hi Francis, El 21/07/2006, a las 17:16, Francis Dupont escribió:
In your previous mail you wrote: It is quite clear for me now the discussion points.I think these go way beyond the actual shim6 work, since you seem to be challenging some fundamental assumptions that we use to start workingon shim, namely:- the threat model of mip (in particular time shifted attacks that werethe base threat for requiring mip RR and shim HBAs) - the difficulty in deploying a global PKI and issuing client certificates => I strongly disagree about the first point (the main threat of mip is the remote redirection, time shifted attacks and similar things are second order issues),
i agree that the main threat is redirection attacks and this is reflected in 4218, but my point was that the most dificult attacks to prevent are the time-shifted attacks and this is why we end up with things like _periodic_ RR in mip and HBA/CGA in shim. If time shifted attacks were not an issue, we could have used cookies for instance or hash chains to protect the shim in conjuction the already existent routing based security (meaning the asumption that the routing system delivers packets to the rightful "owners" of the addresses)
So, the hypothesis of 4218 and of mip security is of course as you say that the fundamental threat is redirection attacks, but also that time shifted attacks need to be prevented... agree with this?
and I don't fully agree with the second because the only issue is the global PKI (ie., issuing client certificates is again second order).
global PKI is a big obstacle for deployment but imho the generation of client certificates it is also. I mean imagine having to create client certificate for every host in the internet. Imagine that for those, you need to verify the rightful ownership of the IP address included in the certificate. Technically this may be simple, but logistically, this requires a lot of effort imho
Regards, marcelo
Regards Francis.Dupont@point6.net