Re: [Hipsec] feedback of hiccups-01 draft
Tobias Heer <heer@cs.rwth-aachen.de> Thu, 30 July 2009 09:13 UTC
Return-Path: <heer@informatik.rwth-aachen.de>
X-Original-To: hipsec@core3.amsl.com
Delivered-To: hipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 10F7A28C232 for <hipsec@core3.amsl.com>; Thu, 30 Jul 2009 02:13:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.801
X-Spam-Level:
X-Spam-Status: No, score=-4.801 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wHm4X8vmcBLA for <hipsec@core3.amsl.com>; Thu, 30 Jul 2009 02:13:03 -0700 (PDT)
Received: from mta-1.ms.rz.rwth-aachen.de (mta-1.ms.rz.RWTH-Aachen.DE [134.130.7.72]) by core3.amsl.com (Postfix) with ESMTP id D8BC528C209 for <hipsec@ietf.org>; Thu, 30 Jul 2009 02:13:02 -0700 (PDT)
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Received: from ironport-out-1.rz.rwth-aachen.de ([134.130.5.40]) by mta-1.ms.rz.RWTH-Aachen.de (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008)) with ESMTP id <0KNL00HC589R1AD0@mta-1.ms.rz.RWTH-Aachen.de> for hipsec@ietf.org; Thu, 30 Jul 2009 11:13:03 +0200 (CEST)
X-IronPort-AV: E=Sophos;i="4.43,294,1246831200"; d="scan'208";a="20888706"
Received: from relay-auth-1.ms.rz.rwth-aachen.de (HELO relay-auth-1) ([134.130.7.78]) by ironport-in-1.rz.rwth-aachen.de with ESMTP; Thu, 30 Jul 2009 11:13:03 +0200
Received: from [10.1.200.37] ([unknown] [81.225.222.227]) by relay-auth-1.ms.rz.rwth-aachen.de (Sun Java(tm) System Messaging Server 7.0-3.01 64bit (built Dec 9 2008)) with ESMTPA id <0KNL00HTH89QHO50@relay-auth-1.ms.rz.rwth-aachen.de> for hipsec@ietf.org; Thu, 30 Jul 2009 11:13:03 +0200 (CEST)
Message-id: <5D119CF4-5462-437D-884C-3434A15CE4BE@cs.rwth-aachen.de>
From: Tobias Heer <heer@cs.rwth-aachen.de>
To: miika.komu@hiit.fi
In-reply-to: <4A716061.3050906@hiit.fi>
Date: Thu, 30 Jul 2009 11:13:00 +0200
References: <49815F7E.5080604@hiit.fi> <4A6F0D31.9020501@nomadiclab.com> <4A716061.3050906@hiit.fi>
X-Mailer: Apple Mail (2.935.3)
Cc: hip WG <hipsec@ietf.org>
Subject: Re: [Hipsec] feedback of hiccups-01 draft
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jul 2009 09:13:04 -0000
Am 30.07.2009 um 10:57 schrieb Miika Komu: > Jan Melen wrote: > > Hi, > >> Miika Komu wrote: >>> >>> * I guess the draft assumes that data packets may be sent over HIP- >>> aware overlays. I would suggest that the authors have a look at >>> draft-heer-hip-middle-auth and perhaps add a pointer to the draft. >>> Particularly, I would propose to make the public key mandatory and >>> perhaps the middlebox extension as SHOULD? There is a new version >>> of the draft coming up very soon. Feel free to ask Tobias for a >>> preview if you are interested. >> I think that the host on the path should not verify the signatures >> on HIP_DATA packets as it is meant that these are anyway only few >> packets that are exchanged between the peer's and not a stream of >> data. For streams you set-up a full HIP association using base- >> exchange and ESP as a transport. > > no, I meant that the middleboxes should apply nonces to the messages. Jan is right: Without a multi-packet protocol defined (back and forth at least), the MB authentication extensions don't work. However, for packets that require an acknowledgement, it would somewhat work and you could determine the identity of the receiver. For authenticating the sender, you need three consecutive messages. Hence, using the MB authentication extension makes more sense for stream-like connections. Tobias > _______________________________________________ > Hipsec mailing list > Hipsec@ietf.org > https://www.ietf.org/mailman/listinfo/hipsec -- Dipl.-Inform. Tobias Heer, Ph.D. Student Distributed Systems Group RWTH Aachen University, Germany tel: +49 241 80 207 76 web: http://ds.cs.rwth-aachen.de/members/heer
- [Hipsec] feedback of hiccups-01 draft Miika Komu
- Re: [Hipsec] feedback of hiccups-01 draft Henderson, Thomas R
- Re: [Hipsec] feedback of hiccups-01 draft Jan Melen
- Re: [Hipsec] feedback of hiccups-01 draft Jan Melen
- Re: [Hipsec] feedback of hiccups-01 draft Miika Komu
- Re: [Hipsec] feedback of hiccups-01 draft Tobias Heer