[Hipsec] New I-D: draft-vogt-hip-credit-based-authorization-00.txt
chvogt@tm.uka.de (Christian Vogt) Tue, 15 February 2005 06:13 UTC
From: chvogt@tm.uka.de
Date: Tue, 15 Feb 2005 06:13:00 +0000
Subject: [Hipsec] New I-D: draft-vogt-hip-credit-based-authorization-00.txt
Message-ID: <4211D90C.7080400@tm.uka.de>
X-Date: Tue Feb 15 06:13:00 2005
Hi HIP folks. End-Host Mobility with HIP as well as Mobile IPv6 require a reachability test of a mobile node's new IP address. This test must be performed before packets are sent to this new IP address to prevent malicious redirection attacks and third-party flooding. In the MIP6 and Mobopts groups, we have thought about a secure way to check a mobile node's reachability at a new IP address, subsequent to handover, *in parallel* with already having communications go through this new IP address. We particularly discussed a credit-based solution, Credit-Based Authorization (CBA). It turns out that CBA can be applied to End-Host Mobility with HIP as well. Pekka and I talked about this at the IETF 61 meeting in Washington D.C. The draft cited below gives an overview on CBA and explains its integration with HIP mobility. Your folks' opinions on this topic are greatly appreciated. Best regards, - Christian PS: I posted this email on the HIP RG's mailing list as well. Title...: Credit-Based Authorization for HIP Mobility with Concurrent IP-Address Tests Author..: Christian Vogt http://www.tm.uka.de/~chvogt/ro2/pub/2005/draft-vogt-hip-credit-based-authorization-00.txt Abstract End-host mobility with the Host Identity Protocol uses IP-address tests to protect against malicious packet redirection and third-party flooding. The tests cause handover signaling delays to increase by one round-trip time. This document proposes a credit-based strategy that allows peers to securely resume active communications after handover as soon as possible, and to pursue a concurrent IP-address test subsequently. The optimization thus eliminates the additional handover delay that IP-address tests entail. -- Christian Vogt, Institute of Telematics, University of Karlsruhe www.tm.uka.de/~chvogt/pubkey/ "No great genius has ever existed without some touch of madness." (Aristotle)
- [Hipsec] New I-D: draft-vogt-hip-credit-based-aut… Christian Vogt