Hi folks, I am finally trying scratch some time to address IESG feedback related to NAT traversal draft. Eric Rescorla (among others) questioned why we have chosen to have the locators (aka candidates) in plaintext whereas in ICE, the locators are XORred to protect against middlebox tampering. The original reasoning for this is was that because that is the way non-NAT traversal version of the HIP works (RFC7401).
I don't think we need XORring with HIP because we have more powerful mechanisms in HIP. So, I am going to add some text that mandates that the LOCATOR parameter must be encapsulated inside ENCRYPTED parameter when ICE-HIP-UDP will be used. The tradeoff here is that we favor end-host privacy at the cost middlebox transparency. Please let me know during the two next weeks if you disagree, otherwise I consider the issue to be resolved at least from the WG perspective. _______________________________________________ Hipsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/hipsec
