On 10 Jun 2010, at 15:48 , Patrick Frejborg wrote: >> Hmm. >> >> It isn't really "having an external partner update their ACL >> or firewall rules", but instead using learned local-knowledge >> (knowledge that can be authenticated !) to locally update >> local ACL or firewall rules. >> >> That is, the ruleset remains whatever was locally chosen, >> it is just that as the location change is learned >> and then the same locally-specified rule is applied >> to the same locally-specified node/site, >> at the remote node/site's new location. >> >> There are multiple authentication mechanisms for those >> ICMP Locator Updates: >> - non-cryptographic session nonces are always used >> - cryptographic authentication of the packet (IPsec AH) >> can optionally be used > > This is a little bit controversial, for the routing architecture the > IP address is divided into identifier&locator values, but in order to > traverse security architectures both are glued again together as an IP > address - making one architecture scaling better but the other one > becomes more complex.
I don't understand what you are trying to say just above. Your use of the word "this" is perhaps where I get lost. The obvious anteceent would be "authentication mechanisms", but I can't figure out what might be controversial about either mechanism. ILNP AH does not bind to the Locator in any event, and the Nonce value isn't cryptographically bound at all. (Please provide a bit more context to your comment, and maybe expand it a bit so I can understand it. Thanks. :-) Cheers, Ran Atkinson _______________________________________________ rrg mailing list rrg@irtf.org http://www.irtf.org/mailman/listinfo/rrg
