RE: Service Identity (Re: Machine Identity)

"David Harrington" <> Thu, 28 February 2008 14:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 880A73A6EA1; Thu, 28 Feb 2008 06:02:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.19
X-Spam-Status: No, score=-2.19 tagged_above=-999 required=5 tests=[AWL=0.409, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id TN34tacL9-cO; Thu, 28 Feb 2008 06:02:55 -0800 (PST)
Received: from (localhost []) by (Postfix) with ESMTP id 520413A6C37; Thu, 28 Feb 2008 06:02:55 -0800 (PST)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 380B33A6E72 for <>; Thu, 28 Feb 2008 06:02:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4WjVzuazq2-a for <>; Thu, 28 Feb 2008 06:02:53 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 5E0A63A6BDE for <>; Thu, 28 Feb 2008 06:02:53 -0800 (PST)
Received: from ([]) by with comcast id v1do1Y0510vp7WLA600s00; Thu, 28 Feb 2008 14:02:17 +0000
Received: from Harrington73653 ([]) by with comcast id v22g1Y0044HwxpC8R00000; Thu, 28 Feb 2008 14:02:46 +0000
X-Authority-Analysis: v=1.0 c=1 a=ZM8n86p0LXsA:10 a=f0Xiuc7wd6U21qAg2NEA:9 a=TSYdQdqWoEZAggzdauoA:7 a=fJhfTmCN8wz_ZO4l3394P8moMLsA:4 a=si9q_4b84H0A:10 a=hPjdaMEvmhQA:10 a=lZB815dzVvQA:10 a=gi0PWCVxevcA:10
From: "David Harrington" <>
To: "'Jeroen Massar'" <>, "'Balazs Lengyel'" <>
References: <> <> <20080228114656.GD8439@elstar.local> <> <20080228124038.GA8852@elstar.local><> <>
Subject: RE: Service Identity (Re: Machine Identity)
Date: Thu, 28 Feb 2008 09:02:40 -0500
Message-ID: <0aea01c87a12$95cc8df0$>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
Thread-Index: Ach6EFQn/k++gC/bSvC6keXuszYZXQAAJ5jA
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
In-Reply-To: <>
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: general discussion of application-layer protocols <>
List-Unsubscribe: <>, <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>

I don't think that works very well.

We can identify the SNMP service, but there might be multiple SNMP
agents running on a device. And since different OSes have different
ideas of processes, it can be difficult to identify different
instances of the same service. (We tried to standardize facility in
the syslog WG, and couldn't come up with a standard across operating

In SNMPv3, we developed an identifier to identify each engine, but
users actually prefer to model the network topology using the IP
address, because when dealing with topology maps the purpose is to
manage the devices in the network. 

If a device catches fire, you don't want to search through diagrams of
virtual services; you want to know where the device is so you can put
the fire out. ;-)

As Juergen said, which identifier works best depends on what you are
trying to do, and no single identifier will always be the best choice.

David Harrington

> -----Original Message-----
> From: 
> [] On Behalf Of Jeroen Massar
> Sent: Thursday, February 28, 2008 8:41 AM
> To: Balazs Lengyel
> Cc:
> Subject: Service Identity (Re: Machine Identity)
> Balazs Lengyel wrote:
> > IMHO virtualization, and programs like VmWare are one 
> example where it 
> > is hard to say what are you trying to identify. The 
> physical box or the 
> > virtual machine?
> One should identify the *service*
> That solves all the issues mentioned here.
> The service could be "your p2p app" but also "HTTP host 
> or "HTTP host" etc.
> SSH Keys are a good example of this, they identify the SSH 
> service. You 
> can find that service on IPv4 port 22 and IPv6 port 22, maybe on 
> different other IP addresses or other port numbers. Everytime you 
> connect to that service, you can communicate with it using the same 
> public key, as it's private key remains the same. Now if another SSH

> service steals the IP address or port number, you will get a 
> different 
> key to talk with.
> Solving this with HIP, but instead of "Host" making it 
> "Service" based 
> would be great.
> Note that a lot of virtualization is service based, not really host 
> based. For that matter, the larger sites actually only care about 
> services: deploy 1000 HTTP proxies for site X, deploy 1000 
> crawler bots 
> for purpose Z etc. They really can't care less about the host
> that is just a place where the service runs.
> Greets,
>   Jeroen