ARIN-PPML Message

[ppml] [narten at us.ibm.com: PI addressing in IPv6 advances in ARIN]


--On April 18, 2006 11:22:19 AM +1000 Geoff Huston <gih at apnic.net> wrote:

>
>> I personally think the middlebox approach is the easiest to deploy/
>> least disruptive to end users/most familiar to ISPs technique to
>> implement an end point identifier/routing locator split, but I'm
>> cynical enough to be skeptical either approach will be taken...
>
> And probably the highest potential risk, unfortunately.
>
>  From the packet's perspective what's the difference between the helpful
> header rewriting that my middlebox performs and the evil rewriting that
> your middlebox performs? i.e. how can you tell the boundary of a site?
> How  can you create a decent security association between the endpoints
> and the  middlebox?
>
How is this different from the ability to intercept the packet at each
hop today?

If you can get in the data stream, you can divert the packets.  Simple
as that.  It does not change the nature of the security issue as it
exists today.

Owen



-- 
If this message was not signed with gpg key 0FE2AA3D, it's probably
a forgery.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <http://lists.arin.net/pipermail/arin-ppml/attachments/20060417/0c0349b3/attachment.bin>