Re: Security Module for shim6 or hip really

[Iljitsch van Beijnum <iljitsch@muada.com>]

[resent from last week]

On 31-jul-2006, at 11:44, marcelo bagnulo braun wrote:

> > it's possible that an implementation supports a certain security  
> > mechanism for authenticating its own stuff but not for checking  
> > the authentication of the other side,

> i am not following this...

> a host don't need security to check its own locator set, we assume  
> that it has some local means to verify which its own locators  
> are... (but i guess this is not what you were thinking about...)

No, what I mean is: suppose only generating a HBA/CGA iid is covered  
by the claimed Ericsson patent, but checking the HBA/CGA isn't. Or  
the other way around. Then someone may want to implement only the  
part that isn't covered by the patent. Obviously in this case that's  
unlikely and not very useful because we need something that both ends  
can handle, but in the case of PKI-derived security this is a normal  
situation: if I don't have certificate for myself but I do have the  
root certificates I can check someone else's certificate but I can't  
protect my own locators with this security mechanism. So when we  
exchange capabilities, for the security stuff we need to have  
separate lists for what we support for outgoing locator sets and what  
we support for incoming locator sets.

> > > (the reception of packet is done solely based on the context tag,  
> > > so it doesn't matter which source locator is used).

> > I don't like this assumption...

> why not?

Because then you can't get rid of the context tag.

> > Does it make sense to have different authentication mechanisms for  
> > different locators?

> well, i think so

> suppose you have a CGA/HBA address

> you can use the HBA mechanisms to move among a stable set of  
> locators and you can use the CGA method to add new locators that  
> were not present initially to the locator set

Ok.

But is it worth the trouble to support this? We could say that if you  
want to add any locators outside your HBA set you must use CGA for  
the whole set. This way all locators share the same security  
mechanism which should make life a bit simpler.  :-)

On the other hand the trouble with CGA is that you need to send a  
challenge to make sure the other side really holds the secret key so  
validating the HBA locators using HBA has the advantage that you can  
use those while waiting for the response to your challenge to  
validate the CGA-only locators.

Iljitsch