[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Son-of-IKE Selection Criteria?
In message <2F3EC696EAEED311BB2D009027C3F4F4058698B0@vhqpostal.verisign.com>, "
Hallam-Baker, Phillip" writes:
>
>1. Issue every device an IP identity credential bound to its IP address.
> This is the ONLY form of identity that can provably prevent any
> additional disclosure of identity in an IP environment since your
> IP address is known in any case.
>
The problem is that many devices have dynamic IP addresses, i.e.,
dial-up machines, machines owned by hotel guests -- and machines owned
by IETF attendees... Who should issue such credentials? Send them
along with the DHCP or PPP negotiation? That would stall SoI until
the service providers wanted to support it. Worse yet, most hotel
access is via NAT boxes, which means that many guests are sharing the
same credential.
--Steve Bellovin, http://www.research.att.com/~smb
Full text of "Firewalls" book now at http://www.wilyhacker.com