[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Anycast




>>>>>> "Dan" == Dan McDonald <danmcd@eng.sun.com> writes:
    Dan> Assuming my understanding of anycast is still up to snuff (it may
    Dan> not be), and that you've solve multicast key distribution, what you
    Dan> can have happen is this:

    Dan> 0.) Anycast keys are distributed, a node sends to the anycast
    Dan> address using that IPsec SA.

    Dan> 1.) The node that handles the anycast traffic accepts the packet,
    Dan> and turns around a response.  This response is to a unicast address,
    Dan> and if you use source address as a selector, it comes from a
    Dan> "different" source address.  This should kick off an IKE
    Dan> negotiation.

  I think that we can avoid introducing the multicast problem if one assumes
that static keys are not possible. Instead, one initiates to an anycast
address. 
  An IKE responder, seeing that it was initiated to an anycast address
either:
	1. initiates with its real address and provides some kind of proof
	that it is in fact the anycast address. This is a weird kind of 
	variarion on the initial-contact since the anycast service provider's
	response must cause the original initiator to drop it's ISAKMP SA,
	and use this new ISAKMP SA.

	2. replies, but from its real address. This requires special handling
	on the initiator's side to recognize that the anycast ISAKMP has been 
	replied to by a different IP address.


  In both cases, some kind of proof is required, probably in the form of a
certificate binding the anycast address and the physical address. (SPKI/SDSI
groups would be nice here)

    Dan> 2.) The remaining traffic is protected with a pair of unicast SAs
    Dan> that were negotiatied by the anycast handler and the original node.

  My personal opinion is that anycast seems neat, but that protecting
connections to such addresses is dubious at best.

   :!mcr!:            |  Network and security consulting/contract programming
   Michael Richardson |         Firewalls, TCP/IP and Unix administration
 Personal: http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html
 Corporate: http://www.sandelman.ottawa.on.ca/SSW/
	ON HUMILITY: To err is human, to moo bovine.