[Nfd-dev] review request: tunnel authentication protocol
Mark Stapp
mjs at cisco.com
Wed Jan 28 06:32:39 PST 2015
hmm - having looked at the ppt, there are still a lot of questions -
it's not clear that there's enough info in the slides to understand what
is actually proposed.
what do you mean by the word "tunnel"? is there some encap being
discussed somewhere that will be used? or do you mean "tcp connection"?
or do you mean "udp packets from some specific source IP+port tuple"?
is there any MAC/MIC proposed? if so, how does it work?
if there's no MAC, nothing's stopping packet injection, right? if
there's no MAC, what prevents DOS-ing the tunnel by just sending a bad
"request" message?
what about fragments - who fragments what, and how is the threat of
fragment injection handled?
what about replay attacks?
I take it there's some magic happening somewhere that allows every
router to know the acceptable public key for every valid "client" ?
above all, as Marc M asked, if you're using IP, why not just use a TLS
or dTLS tunnel with mutual auth? that would even add privacy, which
would not be a bad thing at all for NDN to consider.
Thanks,
Mark
On 1/27/15 5:26 PM, Junxiao Shi wrote:
> Dear folks
>
> I have written the high-level ideas about NFD tunnel authentication
> protocol, and I need someone to review the design.
>
> http://redmine.named-data.net/attachments/download/174/tunnel-auth_20141118.pptx
>
> If you do not yet know what tunnel authentication protocol is, please
> see: http://redmine.named-data.net/issues/1285#note-1
>
> If you are willing to have a look at the design, I'll appreciate that.
> You don't have to be an expert in order to do a design review.
>
> Yours, Junxiao
>
>
> _______________________________________________
> Nfd-dev mailing list
> Nfd-dev at lists.cs.ucla.edu
> http://www.lists.cs.ucla.edu/mailman/listinfo/nfd-dev
>
More information about the Nfd-dev
mailing list