> I see your point. The draft assumes a security association between the > ITR and the MS in order to authenticate the Map-Notifies. I think this
We can’t assume this. That is, a subscriber may not register its EID-prefixes to the same map-server that the EID-prefix it Is Map-Requesting is registered to. So there would be no security association between the two. > addresses your valid concern on spoofed Map-Notifies. How this > security association is established is a different discussion :) You need to store the nonce in the Mao-server. See Fabio’s slide of our demo. My implementation does it the way Erik is suggesting. > Note also that, ideally, the Map-Notifies sent as publications should > each have a different nonce so the MS can easily correlate them with > the Map-Notify-Acks received as responses. It can do that with the Map-Request nonce as well. Dino _______________________________________________ lisp mailing list [email protected] https://www.ietf.org/mailman/listinfo/lisp
