[Hipsec-rg] Re: Native HIP API questions in the hipsec-rg meeting

[touch@ISI.EDU (Joe Touch)]

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig59215F12241C9731B7D6547C
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit



Miika Komu wrote:

> On Thu, 19 Aug 2004, Joe Touch wrote:
> 
> 
>>We already have a DNS which provides a global resolution structure. What
>>is the gain in having a global ID space?
>>
>>Far as I can tell, you need the DNS (or a copy that's just as
>>complicated and global) to give you the rendezvous points. If the dest
>>IS the rendezvous point, you're done. Why bother putting the ID in the
>>DNS and ensuring that it's global?
> 
> 
> If you don't know the ID of the peer before connection establishment, it
> is called "HIP opportunistic mode". A hostile host can DoS the peer and
> pretend to be the peer for you.
> 
> On the other hand, you can detect that another host has replaced the real
> peer if you can first lookup the ID of the peer from the DNS.

A hostile host can just lookup the host it wants to impersonate and use 
its HIP ID anyway. If you go to the DNS, presumably the entry there was 
signed - if you need to validate that the endpoint is who the DNS says 
it was, you MUST use the same signing authority as validation anyway; 
the HIP ID doesn't add any information.

Joe

--------------enig59215F12241C9731B7D6547C
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBJgzAE5f5cImnZrsRAjN7AJ436O25zkgbXXH9+TW7oKiZMIWrhgCdHg+q
42/2WDjgUFkJPBYCcaEsfJ8=
=ahrg
-----END PGP SIGNATURE-----

--------------enig59215F12241C9731B7D6547C--