Service Identity (Re: Machine Identity)

Jeroen Massar <jeroen@unfix.org> Thu, 28 February 2008 13:46 UTC

Return-Path: <discuss-bounces@ietf.org>
X-Original-To: ietfarch-discuss-archive@core3.amsl.com
Delivered-To: ietfarch-discuss-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3BCF73A6EAF; Thu, 28 Feb 2008 05:46:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kb-actNtDIvW; Thu, 28 Feb 2008 05:46:36 -0800 (PST)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0F1C13A6E95; Thu, 28 Feb 2008 05:46:36 -0800 (PST)
X-Original-To: discuss@core3.amsl.com
Delivered-To: discuss@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CBF623A6E95 for <discuss@core3.amsl.com>; Thu, 28 Feb 2008 05:46:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DFTBF1Zm719x for <discuss@core3.amsl.com>; Thu, 28 Feb 2008 05:46:31 -0800 (PST)
Received: from abaddon.unfix.org (abaddon.unfix.org [194.1.163.39]) by core3.amsl.com (Postfix) with ESMTP id A95093A6B95 for <discuss@apps.ietf.org>; Thu, 28 Feb 2008 05:46:30 -0800 (PST)
Received: from [IPv6:2001:41e0:ff42:b00:216:cfff:fe00:e7d0] (spaghetti.ch.unfix.org [IPv6:2001:41e0:ff42:b00:216:cfff:fe00:e7d0]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jeroen) by abaddon.unfix.org (Postfix) with ESMTPSA id C820C40202D; Thu, 28 Feb 2008 14:41:19 +0100 (CET)
Message-ID: <47C6BA02.9090000@spaghetti.zurich.ibm.com>
Date: Thu, 28 Feb 2008 14:41:22 +0100
From: Jeroen Massar <jeroen@unfix.org>
Organization: Unfix
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/20080213 Thunderbird/2.0.0.12 Mnenhy/0.7.5.666
MIME-Version: 1.0
To: Balazs Lengyel <balazs.lengyel@ericsson.com>
Subject: Service Identity (Re: Machine Identity)
References: <20080226130527.GA1404@generic-nic.net> <20080228112318.GA23196@nic.fr> <20080228114656.GD8439@elstar.local> <Pine.SOL.4.64.0802281405360.10117@kekkonen.cs.hut.fi> <20080228124038.GA8852@elstar.local> <47C6B37F.2050505@ericsson.com>
In-Reply-To: <47C6B37F.2050505@ericsson.com>
X-Enigmail-Version: 0.95.6
OpenPGP: id=333E7C23
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig886B0A44846D6266E43E6055"
X-Virus-Scanned: ClamAV version 0.92.1, clamav-milter version 0.92.1 on abaddon.unfix.org
X-Virus-Status: Clean
Cc: discuss@apps.ietf.org
X-BeenThere: discuss@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: general discussion of application-layer protocols <discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/discuss>, <mailto:discuss-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:discuss@ietf.org>
List-Help: <mailto:discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/discuss>, <mailto:discuss-request@ietf.org?subject=subscribe>
Sender: discuss-bounces@ietf.org
Errors-To: discuss-bounces@ietf.org

Balazs Lengyel wrote:
> IMHO virtualization, and programs like VmWare are one example where it 
> is hard to say what are you trying to identify. The physical box or the 
> virtual machine?

One should identify the *service*

That solves all the issues mentioned here.

The service could be "your p2p app" but also "HTTP host a.example.com" 
or "HTTP host b.example.com" etc.

SSH Keys are a good example of this, they identify the SSH service. You 
can find that service on IPv4 port 22 and IPv6 port 22, maybe on 
different other IP addresses or other port numbers. Everytime you 
connect to that service, you can communicate with it using the same 
public key, as it's private key remains the same. Now if another SSH 
service steals the IP address or port number, you will get a different 
key to talk with.

Solving this with HIP, but instead of "Host" making it "Service" based 
would be great.

Note that a lot of virtualization is service based, not really host 
based. For that matter, the larger sites actually only care about 
services: deploy 1000 HTTP proxies for site X, deploy 1000 crawler bots 
for purpose Z etc. They really can't care less about the host itself, 
that is just a place where the service runs.

Greets,
  Jeroen