Author: wirtz Date: Thu Jan 27 16:50:40 2011 New Revision: 2429 Log: trustpoint and pairing Modified: docs/protocol_spec/application.tex Modified: docs/protocol_spec/application.tex ============================================================================== --- docs/protocol_spec/application.tex Thu Jan 27 15:16:10 2011 (r2428) +++ docs/protocol_spec/application.tex Thu Jan 27 16:50:40 2011 (r2429) @@ -123,9 +123,15 @@ Traffic that is generated by a native client and is intended for the Internet rather than for an endpoint in the PISA network needs to go through this trustpoint. To this end, a native client's default route (for destinations outside the PISA address space) points to the trustpoint, which is either his own access point at home or a trustpoint of/for a number of users provided by a company or university. -At the trustpoint, this traffic is "unwrapped" and forwarded over the users own Internet connection to its original destination. - +At the trustpoint, traffic for the Internet is "unwrapped" and forwarded over the users own Internet connection to its original destination. +Return traffic intended for the client is in turn encapsulated with the HIP/IPsec and PISA tunnel mechanisms and is sent to the client. +Client and trustpoint need to know each other for the trustpoint to forward traffic towards the internet. +For the client to "know" its trustpoint it needs to know its IPv4 address in the PISA address space and the HIT this IP resolves to. +% ist das eigtl. korrekt ? kommt ja sehr auf die rolle des nutzers an, oder ? +A client may only have one trustpoint, the trustpoint is thus added as the default route/gateway for any Internet-bound traffic +For the trustpoint to only forward traffic by a trusted client, the HIT (and signed certificate) of this client needs to be known. +This information is exchanged prior to the client requesting Internet-bound traffic during the \emph{pairing} of these devices. \item[Legacy router] -- This is the pisa developer mailing list. Please also subscribe to the main pisa list at: //www.freelists.org/list/pisa