On 10 Jun 2010, at 10:47 , Patrick Frejborg wrote:
> Couldn't open this one
> http://www.cs.st-andrews.ac.uk/~saleem/papers/2009/milcom2009/milcom2009-rab2009.pdf
> Firefox reported it broken
Hmm. I just was able to click on that and have the PDF open.
So I'm not sure what happened. Maybe some transient
network issue somewhere.
I apologise for being very unclear in my earlier note.
I actually meant the other MILCOM 2009 paper online:
R. Atkinson & S. Bhatti,
Site-Controlled Secure Multi-homing and Traffic Engineering for IP,
28th IEEE Military Communications Conference (MILCOM),
Boston, MA, USA, October 2009
(I just verified that link from the ilnp.cs.st-andrews.ac.uk
site, and it opened the right PDF, at least for me.)
> However, it could be hard to sell this to the security officers, i.e.
> having an external partner updating their ACL or firewall rules
> automatically....
Hmm.
It isn't really "having an external partner update their ACL
or firewall rules", but instead using learned local-knowledge
(knowledge that can be authenticated !) to locally update
local ACL or firewall rules.
That is, the ruleset remains whatever was locally chosen,
it is just that as the location change is learned
and then the same locally-specified rule is applied
to the same locally-specified node/site,
at the remote node/site's new location.
There are multiple authentication mechanisms for those
ICMP Locator Updates:
- non-cryptographic session nonces are always used
- cryptographic authentication of the packet (IPsec AH)
can optionally be used
Separately, DNS with DNS Security can be used to retrieve
the revised Locator value(s) from the DNS
&&
the mobile site/node can use Secure Dynamic DNS Update
to send the revised Locator value(s) to its authoritative
DNS Servers.
(I think the authentication aspect of the updates is
pretty thoroughly covered in the current ILNP specs.)
>> This is no longer true. The bandwidth pressures created
>> by various "smart phones" mean that mobile phone operators
>> are quite keen to encourage their users to migrate to WiFi
>> if they roam to an area with good WiFi coverage (for example),
>> at least for data traffic (Handoffs of voice telephony traffic
>> to WiFi is still in flux in the marketplace).
> Think the reason is that the current TDM connections are
> too expensive and gets filled by data that is not generating
> much revenue. This model could change back once carrier ethernet
> is available, they should be much much cheaper than the TDM
> connections.
That could be true for some operators in some places.
The subset of mobile telephone operators who already have
deployed Carrier Ethernet over glass that I happen to have
talked with told me that (for them at least) the bandwidth
of the radio links is the fundamental limitation (and they
told me that moving to any of the 4G radio technology options
don't alleviate that limitation for them).
Of course, "mileage could vary" from one operator, location,
or regulatory environment to another. Also, not all IP
carriers use mobile telephone technology, some use copper
wires (e.g. DSL), fibre-optic cables (e.g. Verizon FIOS),
hybrid fibre-coax (HFC), or other wireless technologies
(e.g. WiMAX as a "last mile" point-to-point link).
Cheers,
Ran
_______________________________________________
rrg mailing list
rrg@irtf.org
http://www.irtf.org/mailman/listinfo/rrg
