RE: SEND-based protection and related confusions (was RE: AR compromise(Re: [Mipshop] Review ofdraft-haddad-mipship-hmipv6-security-04))

[Wassim Haddad <whaddad at tcs.hut.fi>]

On Wed, 16 Aug 2006, Narayanan, Vidya wrote:

> In the HMIP model (as in any host-based mobility model), I do feel
> strongly that the compromise of an AR must not cause spurious binding
> cache entries at the MAP on behalf of the MN.

=> A compromise of the AR has a much bigger impact on HMIPv6 protocol than
what you are describing. Thus it does not make sense to ignore the real
impact of an AR compromise (in an HMIPv6 domain) and just highlight the
fact that it can cause "spurious binding cache entries"!

> So, brokering a trust relationship between the MN and the MAP by the AR
> providing a key and then doing a DH exchange is not attractive to me.

=> This is NOT accurate since it is assumed to have a trust relationship
and secure links between nodes inside the MAP domain and the AR is not
outside such domain (note that this assumption is not new!). This is
mentioned in the security considerations section in the latest version.

> If we want to leverage the presence of CGAs, we could perhaps go down
> the path of IKEv2 using CGAs/self-signed certs,
> etc.

=> You don't need to go down to this path with CGA (even when talking
about alternative).

> We have to keep in mind that this is not equivalent to simple IPsec
> or IKEv2/EAP, but, in the interest of infrastructureless security, it
> can be done.

=> The draft assumes that the infrastructure is secure and the protocol
is built on such assumption.


Regards,
Wassim H.

_______________________________________________
Mipshop mailing list
Mipshop at ietf.org
https://www1.ietf.org/mailman/listinfo/mipshop