Re: [EME] Traversing HIP-aware NATs and Firewalls: Problem Statement andRequirements

Hannes Tschofenig <Hannes.Tschofenig@gmx.net> Tue, 19 June 2007 07:49 UTC

Return-path: <eme-bounces@irtf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1I0YT9-0000Qa-RR; Tue, 19 Jun 2007 03:49:43 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1I0YT8-0000QQ-5K for eme@irtf.org; Tue, 19 Jun 2007 03:49:42 -0400
Received: from mail.gmx.net ([213.165.64.20]) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1I0YT6-0003iP-MV for eme@irtf.org; Tue, 19 Jun 2007 03:49:42 -0400
Received: (qmail invoked by alias); 19 Jun 2007 07:49:39 -0000
Received: from p549869D1.dip.t-dialin.net (EHLO [192.168.1.3]) [84.152.105.209] by mail.gmx.net (mp053) with SMTP; 19 Jun 2007 09:49:39 +0200
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX18UGQ1dzhUUbU06C6tId5kVjoWg7H5gohvjuLXfj5 OT0Gev0pqLpyOg
Message-ID: <46778A94.1010604@gmx.net>
Date: Tue, 19 Jun 2007 09:49:40 +0200
From: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
User-Agent: Thunderbird 2.0.0.4 (Windows/20070604)
MIME-Version: 1.0
To: Paul Francis <francis@cs.cornell.edu>
Subject: Re: [EME] Traversing HIP-aware NATs and Firewalls: Problem Statement andRequirements
References: <E6F7A586E0A3F94D921755964F6BE006C9806B@EXCHANGE2.cs.cornell.edu> <4677818C.7070008@gmx.net>
In-Reply-To: <4677818C.7070008@gmx.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 2409bba43e9c8d580670fda8b695204a
Cc: eme@irtf.org
X-BeenThere: eme@irtf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: end-middle-end research group <eme.irtf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/eme>, <mailto:eme-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/eme>
List-Post: <mailto:eme@irtf.org>
List-Help: <mailto:eme-request@irtf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/eme>, <mailto:eme-request@irtf.org?subject=subscribe>
Errors-To: eme-bounces@irtf.org

another minor thing:


>> Sorry if this is a stupid question, but am I right in assuming that 
>> with hip
>> nat/fw traversal, the middleboxes can authenticate the HIP setup, but 
>> not
>> data packets themselves (which after all are vanilla IPSec packets)
>>   
> That's true unless you use
> * digitally sign each packet
> * Establish IPsec tunnels recursively, or
> * use something similar to the stuff suggested in 
> http://www.ambient-networks.org/docs/Advanced_HIP_based_Firewall_Traversal.pdf 
>
>
> But again, there is the question why you actually need this 
> functionality.

Btw, you don't need to verify the data traffic when you are concerned 
that someone injects traffic that will be processed by the end point. If 
an adversary would do that then the packet would be discarded at the end 
point since it would not pass IPsec processing.

Ciao
Hannes


_______________________________________________
EME mailing list
EME@irtf.org
https://www1.ietf.org/mailman/listinfo/eme