RE: [EME] progress on EME

"Dan Wing" <dwing@cisco.com> Fri, 15 June 2007 18:42 UTC

Return-path: <eme-bounces@irtf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HzGkh-0004fS-Rc; Fri, 15 Jun 2007 14:42:31 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HzGkg-0004fM-T2 for eme@irtf.org; Fri, 15 Jun 2007 14:42:30 -0400
Received: from sj-iport-6.cisco.com ([171.71.176.117]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HzGkf-000706-J5 for eme@irtf.org; Fri, 15 Jun 2007 14:42:30 -0400
Received: from sj-dkim-1.cisco.com ([171.71.179.21]) by sj-iport-6.cisco.com with ESMTP; 15 Jun 2007 11:42:29 -0700
X-IronPort-AV: i="4.16,425,1175497200"; d="scan'208"; a="165983505:sNHT47074887"
Received: from sj-core-2.cisco.com (sj-core-2.cisco.com [171.71.177.254]) by sj-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id l5FIgS69028947; Fri, 15 Jun 2007 11:42:28 -0700
Received: from dwingwxp ([10.32.240.194]) by sj-core-2.cisco.com (8.12.10/8.12.6) with ESMTP id l5FIgSaI022091; Fri, 15 Jun 2007 18:42:28 GMT
From: "Dan Wing" <dwing@cisco.com>
To: "'Paul Francis'" <francis@cs.cornell.edu>, <eme@irtf.org>
Subject: RE: [EME] progress on EME
Date: Fri, 15 Jun 2007 11:42:28 -0700
Message-ID: <04fc01c7af7c$ecdcb040$c2f0200a@amer.cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
In-Reply-To: <E6F7A586E0A3F94D921755964F6BE006C97B72@EXCHANGE2.cs.cornell.edu>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028
Thread-Index: AceoYLhXIgrUaKAnRhab3zsmPFuJwQHG4+vw
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=2246; t=1181932949; x=1182796949; c=relaxed/simple; s=sjdkim1004; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dwing@cisco.com; z=From:=20=22Dan=20Wing=22=20<dwing@cisco.com> |Subject:=20RE=3A=20[EME]=20progress=20on=20EME |Sender:=20; bh=HacN/NKQNAYTGM6c7bWCRz5SWu/u8nq9F74Jnv3NHi0=; b=iCbTgIznLRk8de7cxd3poZaSyH2l7aufuzSFjuPj+KXbYLdaUjE0AcMwcxmXcaEYT7Y/cnYe 1ibh3Si2JTRap3bnracQCi80yDuw31idZGjMNvk5n/abUC8YGdXhV08UZAu1jSjFYSTGrhiq3/ t0kSCcT6VqyIyZT4b2hRgund0=;
Authentication-Results: sj-dkim-1; header.From=dwing@cisco.com; dkim=pass (s ig from cisco.com/sjdkim1004 verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: cab78e1e39c4b328567edb48482b6a69
Cc:
X-BeenThere: eme@irtf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: end-middle-end research group <eme.irtf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/eme>, <mailto:eme-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/eme>
List-Post: <mailto:eme@irtf.org>
List-Help: <mailto:eme-request@irtf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/eme>, <mailto:eme-request@irtf.org?subject=subscribe>
Errors-To: eme-bounces@irtf.org

 
...
> 2.  Broadly there is an interesting issue about how to define ACLs
>     (both in firewalls and endhosts).  The NUTSS paper assumes a
>     3-tuple of <user,domain,application>, where domain is meant to
>     be a DNS name, and can be wildcarded, application is meant to be
>     globally unique, user can be NULL (and doesn't have to represent
>     a human per se), and where all three are user friendly.  The
>     main question, in my mind at least, is whether domain is the
>     best basis for ACLs, or whether certificates, for instance, is
>     better (or, at least, has some better properties).  I personally
>     want to use domain names, given their ubiquity, but the question
>     is nevertheless interesting, and we should know what we are
>     giving up, both in terms of security and in terms of
>     flexibility, by using them.  Beyond this, there are questions of
>     who creates ACLs and where, and what to do when there are
>     conflicts.  This is something the ID doesn't explore, but which
>     we are beginning to understand is central to the problem.

A "HIP ACL" (for lack of a better term) seems perfect.  Consider,
for example, if I'm trying to establish communications with you --
I know you're francis@cs.cornell.edu, and I'd like to only have
communications with you.  I'd like some way to tickle my firewall
to only allow your communication (and not everyone else on the
Internet).  

So, however that flow is identified as coming from you would be
very useful.  Doesn't seem to matter much if it's a certificate
or a HIP identifier or what.  Just that you tell me what that
identifier is so that I can tell my firewall(s).  IP address
isn't adequate due to IP address spoofing and due to NATs
which rewrite addresses willy nilly and we don't know which
address realm I'm in or you're in or the relationship between
those address realms.

...
> 5.  There was one suggestion that EME be stopped, because 
> we should be discouraging middleboxes, not making them 
> easier to deploy.

Do share with us the home IP address of whoever made that
suggestion so they might be sent a few thousand pps to
saturate their access link.  (I'm only half joking.)

-d

_______________________________________________
EME mailing list
EME@irtf.org
https://www1.ietf.org/mailman/listinfo/eme