Pekka, >-----Original Message----- >From: Pekka Nikander [mailto:[email protected]] >Sent: Monday, January 12, 2009 8:46 AM >To: Templin, Fred L >Cc: RRG >Subject: Re: Recursive re-encapsulations > >>> However, if we aim for the kind of hybrid LISP-HIP-proxy design that >>> I've been suggesting, I believe that the packet formats could be much >>> simpler. >> >> I'm not exactly sure how; xTR means IP-in-IP encapsulation. >> Were you meaning for it to mean something else? > >What I have been trying to describe is taking the LISP architecture >and then replacing some parts of the xTR functionality with proxy-HIP. > >> With RANGER/VET/SEAL, I am looking for a way for the ITR to >> establish sufficient securing state in the ETR through a single >> message sent forward before any data messages are sent (i.e., >> a "1-way handshake"). Can HIP do that? > >Depends on your security requirements and what you store in your >mapping system. > >A very short answer is that if you care about all the security threats >HIP cares about, then if the ETR stores the HIP puzzle into the >mapping system so that the ITR gets the puzzle along the ETR RLOC, >then HIP can do that.
With RANGER, I was thinking that the ITR could send an IPv6 Router Advertisement using SEND forward to the ETR and then just start admitting packets into the tunnel. The ETR will verify the credentials in the RA (e.g., by checking in the mapping system, by consulting a certificate authority, etc.) and set an ingress filter entry if the credentials check out. The ETR can then start accepting packets from the ITR. If the ITR's credentials don't check out, the ETR will instead drop packets and send back rate-limited ICMP "Destination Unreachable; Administratively Prohibited" messages. The ITR can then use SEAL as a loose method of authenticating the ICMP messages, and can try again to establish the ingress filter if it thinks it has the correct credentials. Does that match the model you were thinking of? Thanks - Fred [email protected] >--Pekka _______________________________________________ rrg mailing list [email protected] http://www.irtf.org/mailman/listinfo/rrg
