On Fri, Jan 22, 2010 at 11:58 AM, Xu Xiaohu <[email protected]> wrote: > <skipped> > >> > An increasing number of hosts have computational constraints due to >> > being hand-held devices with very limited battery power. This is no >> > problem for simple protocols and caching a few things, but if >> > cryptographic work is required in the CEE protocols, then I think it >> > is more of a problem. >> >> I agree here, do we really need to have cryptographic solution on the >> network layer? >> We are trying to remove the IP address overload (identifier and >> locator) but if we are not careful we could introduce some other >> overload mechanism that somebody has to deal with in the future. The >> transport layer can take care of things and also the application layer >> can take care of things, such as cryptographic > > In the current Internet architecture, the overlapping of IP address > semantics makes it possible to use uRPF to avoid IP (as the role of ID) > spoofing to some extent. However, in an ID/locator split architecture, ID > spoofing will be much harder to prevent provided there is no any mechanism > for ID authentication (uRPF is useless for ID checking). If cryptographic > identifiers are not used, ID authentication would have to be relied on a > third-party certification infrastructure. > I think that depends upon the ID/locator split architecture, i.e how the split is carried out.
If you do the ID/locator split within the network layer, then you might need the mechanism you described above. But if you do a regional-edge/global-core locator split within the network layer and move the ID element to the transport layer the ISP can still do uRPF on both locators. The architectural question is - do the ID authentication issue belong to the network or to the hosts (or the application they use), where should the ID authentication be applied? -- patte _______________________________________________ rrg mailing list [email protected] http://www.irtf.org/mailman/listinfo/rrg
