[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Fwd: I-D ACTION:draft-nordmark-shim6-esd-00.txt]
Henderson, Thomas R wrote:
As I briefly mentioned today, there has been some complementary work in
the HIP RG that discusses the handling of non-routable identifiers in
the main differences being the use of KHI (now ORCHIDs) in HIP instead
Is there an orchid draft? (I'm curious what might have changed other
than the name.)
Until recently, the HIP drafts defined a "Type 2" HIT with the property
that the upper 64 bits contained support for two levels of hierarchical
naming (enabling reverse resolution), with the lower bits being drawn
from a hash of the public key, but this HIT type was dropped due to lack
of interest last year:
It was also felt by some that 64 bits of hash was insufficient to
protect the binding between HIT and public key.
I can understand the 64 bit concern for HIP, since HIP is securing the
payload. Hence the comparison is with the strength that IKE can provide.
But shim6 is only preventing redirection attacks; if one cares about
payload protection one would run IPsec, TLS, etc above shim6.
For the redirection threats, 64 bits is probably plenty.