Re: addresses and IKEv2

[Francis Dupont <Francis.Dupont@enst-bretagne.fr>]

 In your previous mail you wrote:

   I have privately thought for a long time that IPsec's dependence on an
   IP address to determine an SA to be a fundamental flaw in its design.
   To be effective IPsec needs a global address space, in which each host is
   uniquely identified, like the Internet was prior to the introduction of
   NATs, etc.  To make this work a way to dynamically map an Internet address,
   including duplicate private non-routable addresses, to a global unique IPSec
   address/identifier needs to be made available.  Each host can then query
   this database to resolve an IP address to a secure IPsec address/identifier.
   Cryptography is then used to assure that the IPsec address/identifier is
   indeed valid.  In this way both MobileIP and NAT can be supported as-is,
   because they operate on an insecure non-unique IP address, while IPsec uses
   the parallel universe of a secure unique IPsec address/identifier.
   
=> what you want is HIP (Host Identity Payload protocol)...

   However this approach does mean that IPsec can no longer be treated as just
   a secure protocol, or set of protocols if you include key management. It
   must be part of a security system, which includes this address mapping
   facility.
   
=> HIP or any other two space (*) solution should be a major change
in the architecture of the Internet.

Thanks

Francis.Dupont@enst-bretagne.fr

PS (*): systems where locator and identity functions of addresses
are separated.