IETF Logo Mail Archive

[Hipsec-rg] New I-D: draft-vogt-hip-credit-based-authorization-00.txt

chvogt@tm.uka.de (Christian Vogt) Tue, 15 February 2005 06:11 UTC

From: chvogt@tm.uka.de
Date: Tue, 15 Feb 2005 06:11:03 +0000
Subject: [Hipsec-rg] New I-D: draft-vogt-hip-credit-based-authorization-00.txt
Message-ID: <4211D88A.3070209@tm.uka.de>
X-Date: Tue Feb 15 06:11:03 2005

Hi HIP folks.

End-Host Mobility with HIP as well as Mobile IPv6 require a reachability 
test of a mobile node's new IP address.  This test must be performed 
before packets are sent to this new IP address to prevent malicious 
redirection attacks and third-party flooding.

In the MIP6 and Mobopts groups, we have thought about a secure way to 
check a mobile node's reachability at a new IP address, subsequent to 
handover, *in parallel* with already having communications go through 
this new IP address.  We particularly discussed a credit-based solution, 
Credit-Based Authorization (CBA).

It turns out that CBA can be applied to End-Host Mobility with HIP as 
well.  Pekka and I talked about this at the IETF 61 meeting in 
Washington D.C.

The draft cited below gives an overview on CBA and explains its 
integration with HIP mobility.  Your folks' opinions on this topic are 
greatly appreciated.

Best regards,

- Christian

PS:  I posted this email on the HIP WG's mailing list as well.


Title...: Credit-Based Authorization for HIP Mobility with
           Concurrent IP-Address Tests
Author..: Christian Vogt
http://www.tm.uka.de/~chvogt/ro2/pub/2005/draft-vogt-hip-credit-based-authorization-00.txt

Abstract
    End-host mobility with the Host Identity Protocol uses IP-address
    tests to protect against malicious packet redirection and third-party
    flooding.  The tests cause handover signaling delays to increase by
    one round-trip time.  This document proposes a credit-based strategy
    that allows peers to securely resume active communications after
    handover as soon as possible, and to pursue a concurrent IP-address
    test subsequently.  The optimization thus eliminates the additional
    handover delay that IP-address tests entail.

-- 
Christian Vogt, Institute of Telematics, University of Karlsruhe
www.tm.uka.de/~chvogt/pubkey/

   "No great genius has ever existed without some touch of
    madness." (Aristotle)

v2.23.0 | Report a Bug | By Email