List Info

Thread: New I-D: Security Threats to NETLMM
New I-D: Security Threats to NETLMM
user name
 2006-03-13 15:49:36 
The MAP has a mapping between the MN's IP address and the
AR on which it 
currently is. That is what the NETLMM protocol maintains.
So, yes, there is 
a per packet identifier and it is the destination IP adress
for the MN.

             jak

----- Original Message ----- 
From: "Christian Vogt" <chvogttm.uka.de>
To: "Julien Laganier" <julien.IETFlaposte.net>
Cc: <netlmmngnet.it>
Sent: Sunday, March 12, 2006 8:18 AM
Subject: Re: [netlmm] New I-D: Security Threats to NETLMM


> Rethinking this...
>
> While I agree that the per-packet identifier does not
necessarily have
> to show up in the packets on the AR's side, it *does*
have to on the
> MAP's side.  How would the MAP otherwise be able to
tunnel data packets
> coming in from the Internet to the correct AR?
>
> Furthermore, the MAP cannot use information from layers
below IP, so the
> per-packet identifer must come from the IP header at
the MAP's side.
>
> Having said that, wouldn't it make sense to use the
same per-packet
> identifier for both the AR and the MAP, i.e., one that
shows up in the
> IP header?
>
> - Christian
>
> -- 
> Christian Vogt, Institute of Telematics, University of
Karlsruhe
> www.tm.uka.de/~chvogt/pubkey/
>
>
>
> Christian Vogt wrote:
>> Hey Julien.
>>
>>
>>>Here are some indexes which I believe could be
used as indexes to SA
>>>while not being present in each packet:
>>>
>>>- a physical port number on a switch
>>>- a (frequency slot number, time slot number)
tuple
>>>
>>>Perhaps these are corner cases and it is
unlikely that they would be
>>>used as SA indexes, but I thought relaxing the
text on 'per-packet
>>>identifiers' in the draft would have been good.
As I said earlier
>>>what we need is 1. 'per-MN identity
authentication', and 2.
>>>'per-packet data origin authentication' where
the origin would be
>>>identified based 1.
>>>
>>>To me the latter does not necessarily implies
that we have a
>>>'per-packet identifier' present in each
packet. Again, perhaps this
>>>just hair-splitting from myself...
>>
>>
>> You are right.  (Of course, some of these implicit
identifiers could
>> quite easily be spoofed, but that's besides the
point.)
>>
>> I don't think it's hair-splitting.  The draft
needs to be general enough
>> to also accommodate for identifiers that do not
explicitly show up in
>> the packets as you say---unless we specify more
clearly what a
>> per-packet identifier might be.  I'm quite
unbiased with respect to this.
>>
>> Bye,
>> - Christian
>>
>
> _______________________________________________
> netlmm mailing list
> netlmmngnet.it
> https://vesuvio.ipv6.cselt.it/mailman/listinfo/netlmm
> 


_______________________________________________
netlmm mailing list
netlmmngnet.it
https://vesuvio.ipv6.cselt.it/mailman/listinfo/netlmm
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )