[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: addresses and IKEv2
In your previous mail you wrote:
I have privately thought for a long time that IPsec's dependence on an
IP address to determine an SA to be a fundamental flaw in its design.
To be effective IPsec needs a global address space, in which each host is
uniquely identified, like the Internet was prior to the introduction of
NATs, etc. To make this work a way to dynamically map an Internet address,
including duplicate private non-routable addresses, to a global unique IPSec
address/identifier needs to be made available. Each host can then query
this database to resolve an IP address to a secure IPsec address/identifier.
Cryptography is then used to assure that the IPsec address/identifier is
indeed valid. In this way both MobileIP and NAT can be supported as-is,
because they operate on an insecure non-unique IP address, while IPsec uses
the parallel universe of a secure unique IPsec address/identifier.
=> what you want is HIP (Host Identity Payload protocol)...
However this approach does mean that IPsec can no longer be treated as just
a secure protocol, or set of protocols if you include key management. It
must be part of a security system, which includes this address mapping
facility.
=> HIP or any other two space (*) solution should be a major change
in the architecture of the Internet.
Thanks
Francis.Dupont@enst-bretagne.fr
PS (*): systems where locator and identity functions of addresses
are separated.