Re: CGA-based HoA generation for MIP6 (was RE: [Mipshop] Review of draft-arkko-mipshop-cga-cba-04)

Lakshminath,

I think we are actually talking about the same thing.  Can you take a
look at the email that I sent to Vidya a minute ago?  Maybe that
clarifies things a bit.

Alright, take care,

- Christian

-- 
Christian Vogt, Institute of Telematics, Universitaet Karlsruhe (TH)
www.tm.uka.de/~chvogt/pubkey/

Lakshminath Dondeti wrote:
> At 11:58 AM 8/15/2006, Christian Vogt wrote:
>> Hi Lakshminath,
>>
>> we do HoA authorization in any case.  The question is how:
>>
>> (a)  According to RFC 3775, the HA binds the MN's HoA to the IPsec SA
>> during bootstrapping and re-verifies the HoA whenever it receives a BU
>>from the MN.
> 
> Here's my take on it.  If at bootstrapping, the HA makes the leap (no 
> way to always verify the HoA claim if the MN picks the HoA, but 
> doesn't provide CGA assertion), yeah, you are right.  Although, I am 
> still puzzled by your use of the word authorization in case of (a).
> 
> I am trying to make sure that the separation between actual address 
> authorization (this is case b) and re-verification based on initial 
> acceptance of an unverifiable claim (case a) is clear.  If all MNs 
> use CGAs, the burden on a misbehaving MN is substantially high, in 
> that it needs to find a collision to claim someone else's address.
> 
>> (b)  An alternative to this would be to have the HA verify the MN's HoA
>> based on a CGA property.  This is what Vidya brought in.
>>
>> Given that approach (a) already exists for HoA verification (it's the
>> default), there is actually no strong need for an additional approach
>> (b), although it may be handy in some deployments.
> 
> In your view, what is the upside of CGAs in this scenario.
> 
> regards,
> Lakshminath

_______________________________________________
Mipshop mailing list
Mipshop@ietf.org
https://www1.ietf.org/mailman/listinfo/mipshop