Erik Nordmark wrote:
If there is new functionality in the stack and new piece of
infrastructure, it *may* be possible to provide sufficient
incentives for upgrading the applications. I would imagine that
security might be such a feature in the long run.
But security of what? See below.
...
My assumption is that anybody that cares about security of the content
being communicated applies some security to that content; IPsec, TLS,
whatever. And if folks care about www.example.com really mapping to an
IP address and the routes pointing in that direction, we need DNSsec
and some routing security.
AFAICT we need this even if HIP is used (even though HIP helps to get
IPsec end-to-end).
Yes. One of the reasons why this is needed is that
the specific issues in applications typically need specific
security support that is easier to provide in application
or transport layer. Secondly, historically, we have struggled
in providing meaningful and universal information from IP
layer security mechanisms to applications. I do not
see any reason why the world would change in this regard,
particularly given the already developed and deployed
mechanisms.
I think this implies that the length of the hash is only there to
protect against redirection attacks for off-path attackers; on path
attackers e.g. somebody that can cut the wire or control the
software/firmware in a router or switch can always redirect packets.
Agreed.
--Jari
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------