[e2e] where to put endpoint authentication?
marcelo at it.uc3m.es
Wed May 12 01:46:22 PDT 2004
> -----Mensaje original-----
> De: end2end-interest-bounces at postel.org
> [mailto:end2end-interest-bounces at postel.org]En nombre de Joe Touch
> Enviado el: lunes, 10 de mayo de 2004 22:32
> Para: RJ Atkinson
> CC: End-to-end
> Asunto: Re: [e2e] where to put endpoint authentication?
> RJ Atkinson wrote:
> > On May 10, 2004, at 14:09, Joe Touch wrote:
> >> HIP (IMO) appears similar to IPsec in the protection it provides (i.e.,
> >> network layer), and is very similar to IPsec tunnel mode in
> how endpoint
> >> ID is somewhat decoupled from forwarding ID (like E2E tunnels, the
> >> endpoint needs to 'route' based on these endpoint IDs, though).
> > "similar" was a good choice of wording above. My perception is that
> > the set of protections provided with HIP is not identical with those
> > provided by ESP/AH. Maybe I am just confused about how HIP works.
> > Ran
> The particular encryption and key exchange algorithms aside (though they
> may be the critical difference), HIP is indistinguishible in spirit from
> an IPsec e2e tunnel between the two endpoints. The former's inner IP
> header + AH signature are equivalent in that sense to the HIP ID.
Well, HIP does use ESP to protect the packets, but imho this is related to
the implementation of hip more than what it really provides.
I guess that the real contribution of hip is that it provides a new endpoint
identifier namespace which is cryptographic in nature. So the endpoints
identifier is a public key, which implies that a hip enabled node will use
the HI (host Identifer) when reffereing to the endpoint above the HIP layer,
i.e. the transport and the apps will deal with the HI and not with the IP
address as they currently do.
w.r.t. IPSec, i guess that the main difference is that HIP actually provides
a new identifier namespace whose ownership can be proven, so that the
applications can for instance use it for recognizing the other endpoint in
acls and filters, while in regular IPSec the apps still use the IP address
as the endpoint id, so you still neeed a bound between the identifier used
(the IP address) and the key used in IPSec, i guess. In HIP they are
naturally bound since they are the same.
But perhaps i am missunderstanding some issues here and we would need a hip
expert to explain more in detail these issues...
More information about the end2end-interest