On Thu, 20 Jan 2005, Murugaraj Shanmugam wrote: > I am checking the HIP protocol for security considerations using OFMC > model checker. I found that in the HIP protocol, Sounds interesting! > ( i ). the server can authenticate to the client by sending the HI in You probably mean here that the client can authenticate the server. > clear in the R1 packet and signs it.so the Initiator can verify the > identity .(becas he knows the HI from DNS look up) Yes. The initiator (client) queries the responder's HI or HIT from the DNS and sends the I1 to the HIT calculated from the server. The responder (server) sends its HI in clear text in R1. The initiator gets the R1 packet and can verify that the HI matches the one queried from DNS and it also checks the R1 signature. The initiator sends an R2 packet. In the R2, the host identity of the initiator is sent (encrypted). > (ii ). the server cannot authenticate client, because he do not check > the HI from the DNS or from secure method. An Intruder can legitemetly > establish a connection. Good question but what does the checking from the DNS really tell the server? I guess the server can have a some kind of access control list based on host identities that cab be used for accepting only certain hosts. In the I1, the responder gets the initiator's HIT and IP address only. The responder can try to resolve the IP address if initiator and try to find if it finds a matching HIT. The HIT could be also be a type 2 (HAA) HIT which includes some information about the domain of the initiator's HIT. In the I2, the responder gets the initiators HI, HIT, IP address and possibly FQDN. FQDN can be used for resolving the initiators HIT although I doubt the usefullness of this (and it's bad for performance - more round-trips). -- Miika Komu miika@xxxxxx http://www.iki.fi/miika/