[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Anycast
>>>>>> "Dan" == Dan McDonald <danmcd@eng.sun.com> writes:
Dan> Assuming my understanding of anycast is still up to snuff (it may
Dan> not be), and that you've solve multicast key distribution, what you
Dan> can have happen is this:
Dan> 0.) Anycast keys are distributed, a node sends to the anycast
Dan> address using that IPsec SA.
Dan> 1.) The node that handles the anycast traffic accepts the packet,
Dan> and turns around a response. This response is to a unicast address,
Dan> and if you use source address as a selector, it comes from a
Dan> "different" source address. This should kick off an IKE
Dan> negotiation.
I think that we can avoid introducing the multicast problem if one assumes
that static keys are not possible. Instead, one initiates to an anycast
address.
An IKE responder, seeing that it was initiated to an anycast address
either:
1. initiates with its real address and provides some kind of proof
that it is in fact the anycast address. This is a weird kind of
variarion on the initial-contact since the anycast service provider's
response must cause the original initiator to drop it's ISAKMP SA,
and use this new ISAKMP SA.
2. replies, but from its real address. This requires special handling
on the initiator's side to recognize that the anycast ISAKMP has been
replied to by a different IP address.
In both cases, some kind of proof is required, probably in the form of a
certificate binding the anycast address and the physical address. (SPKI/SDSI
groups would be nice here)
Dan> 2.) The remaining traffic is protected with a pair of unicast SAs
Dan> that were negotiatied by the anycast handler and the original node.
My personal opinion is that anycast seems neat, but that protecting
connections to such addresses is dubious at best.
:!mcr!: | Network and security consulting/contract programming
Michael Richardson | Firewalls, TCP/IP and Unix administration
Personal: http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html
Corporate: http://www.sandelman.ottawa.on.ca/SSW/
ON HUMILITY: To err is human, to moo bovine.