[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Son-of-IKE Selection Criteria?

To: "Hallam-Baker, Phillip" <pbaker@verisign.com>
Subject: Re: Son-of-IKE Selection Criteria?
From: "Steven M. Bellovin" <smb@research.att.com>
Date: Mon, 03 Dec 2001 14:29:08 -0500
Cc: "'Walker, Jesse'" <jesse.walker@intel.com>, ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

In message <2F3EC696EAEED311BB2D009027C3F4F4058698B0@vhqpostal.verisign.com>, "
Hallam-Baker, Phillip" writes:

>
>1. Issue every device an IP identity credential bound to its IP address.
>	This is the ONLY form of identity that can provably prevent any 
>	additional disclosure of identity in an IP environment since your
>	IP address is known in any case.
>

The problem is that many devices have dynamic IP addresses, i.e., 
dial-up machines, machines owned by hotel guests -- and machines owned 
by IETF attendees...  Who should issue such credentials?  Send them 
along with the DHCP or PPP negotiation?  That would stall SoI until 
the service providers wanted to support it.  Worse yet, most hotel 
access is via NAT boxes, which means that many guests are sharing the 
same credential.

		--Steve Bellovin, http://www.research.att.com/~smb
		Full text of "Firewalls" book now at http://www.wilyhacker.com

Prev by Date: Re: Some comments on JFK
Next by Date: Re: Stephane's Comments on IKEv2
Prev by thread: Re: Son-of-IKE Selection Criteria?
Next by thread: RE: Son-of-IKE Selection Criteria?
Index(es):
- Main
- Thread