[Hipsec-rg] Re: Native HIP API questions in the hipsec-rg meeting

mkomu@niksula.hut.fi (Miika Komu) Sat, 21 August 2004 15:50 UTC

From: mkomu@niksula.hut.fi (Miika Komu)
Date: Sat Aug 21 15:50:01 2004
Subject: [Hipsec-rg] Re: Native HIP API questions in the hipsec-rg meeting
In-Reply-To: <41260CBB.90200@isi.edu>
References: <6938661A6EDA8A4EA8D1419BCE46F24C04060809@xch-nw-27.nw.nos.boeing.com> <41252460.5040509@isi.edu> <Pine.GSO.4.58.0408200959460.3500@kekkonen.cs.hut.fi> <41260CBB.90200@isi.edu>
Message-ID: <Pine.GSO.4.58.0408212331520.9740@kekkonen.cs.hut.fi>

On Fri, 20 Aug 2004, Joe Touch wrote:

> A hostile host can just lookup the host it wants to impersonate and use
> its HIP ID anyway.

HIP ID equals to the public key of a host (or a hash of it).
Impersonating the real host means that hostile host has cracked the public
key, which is computationally a very difficult task.

> If you go to the DNS, presumably the entry there was signed - if you
> need to validate that the endpoint is who the DNS says it was, you MUST
> use the same signing authority as validation anyway;  the HIP ID doesn't
> add any information.

The entry in the DNS is the public key of the host (or a hash of it), so
it does not require to be signed. The HIP base exchange fails if the key
received from the DNS does not match with the one communicated in the base
exchange.

-- 
Miika Komu              miika@iki.fi          http://www.iki.fi/miika/

[Hipsec-rg] Re: Native HIP API questions in the h… Miika Komu
[Hipsec-rg] Re: Native HIP API questions in the h… Joe Touch
[Hipsec-rg] Re: Native HIP API questions in the h… Joe Touch
[Hipsec-rg] Re: Native HIP API questions in the h… Henderson, Thomas R
[Hipsec-rg] Re: Native HIP API questions in the h… Miika Komu
[Hipsec-rg] Re: Native HIP API questions in the h… Henderson, Thomas R