On Thu, Jun 10, 2010 at 7:33 PM, RJ Atkinson <[email protected]> wrote: > I apologise for being very unclear in my earlier note. > I actually meant the other MILCOM 2009 paper online: > > R. Atkinson & S. Bhatti, > Site-Controlled Secure Multi-homing and Traffic Engineering for IP, > 28th IEEE Military Communications Conference (MILCOM), > Boston, MA, USA, October 2009 >
Thanks, got it! > Hmm. > > It isn't really "having an external partner update their ACL > or firewall rules", but instead using learned local-knowledge > (knowledge that can be authenticated !) to locally update > local ACL or firewall rules. > > That is, the ruleset remains whatever was locally chosen, > it is just that as the location change is learned > and then the same locally-specified rule is applied > to the same locally-specified node/site, > at the remote node/site's new location. > > There are multiple authentication mechanisms for those > ICMP Locator Updates: > - non-cryptographic session nonces are always used > - cryptographic authentication of the packet (IPsec AH) > can optionally be used This is a little bit controversial, for the routing architecture the IP address is divided into identifier&locator values but in order to traverse security architectures both are glued again together as an IP address - making one architecture scaling better but the other one becomes more complex. > > Separately, DNS with DNS Security can be used to retrieve > the revised Locator value(s) from the DNS Found this on wikipedia http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions#Zone_enumeration_issue.2C_controversy.2C_and_NSEC3 "In addition, the information from an enumerated zone can be used as a key for multiple WHOIS queries; this would reveal registrant data which many registries are under strict legal obligations to protect under various contracts. It is unclear whether DNSSEC is legal to deploy at all in many countries, unless such lists can be kept private. DENIC has stated that DNSSEC's zone enumeration issue violates Germany's Federal Data Protection Act, and other European countries have similar privacy laws forbidding the public release of certain kinds of information." Seems that NSEC3 is needed before we can use DNSSEC to carry the identifier -- patte _______________________________________________ rrg mailing list [email protected] http://www.irtf.org/mailman/listinfo/rrg
