RE: [EME] progress on EME
"Dan Wing" <dwing@cisco.com> Fri, 15 June 2007 18:42 UTC
Return-path: <eme-bounces@irtf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HzGkh-0004fS-Rc; Fri, 15 Jun 2007 14:42:31 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HzGkg-0004fM-T2 for eme@irtf.org; Fri, 15 Jun 2007 14:42:30 -0400
Received: from sj-iport-6.cisco.com ([171.71.176.117]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HzGkf-000706-J5 for eme@irtf.org; Fri, 15 Jun 2007 14:42:30 -0400
Received: from sj-dkim-1.cisco.com ([171.71.179.21]) by sj-iport-6.cisco.com with ESMTP; 15 Jun 2007 11:42:29 -0700
X-IronPort-AV: i="4.16,425,1175497200"; d="scan'208"; a="165983505:sNHT47074887"
Received: from sj-core-2.cisco.com (sj-core-2.cisco.com [171.71.177.254]) by sj-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id l5FIgS69028947; Fri, 15 Jun 2007 11:42:28 -0700
Received: from dwingwxp ([10.32.240.194]) by sj-core-2.cisco.com (8.12.10/8.12.6) with ESMTP id l5FIgSaI022091; Fri, 15 Jun 2007 18:42:28 GMT
From: Dan Wing <dwing@cisco.com>
To: 'Paul Francis' <francis@cs.cornell.edu>, eme@irtf.org
Subject: RE: [EME] progress on EME
Date: Fri, 15 Jun 2007 11:42:28 -0700
Message-ID: <04fc01c7af7c$ecdcb040$c2f0200a@amer.cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
In-Reply-To: <E6F7A586E0A3F94D921755964F6BE006C97B72@EXCHANGE2.cs.cornell.edu>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028
Thread-Index: AceoYLhXIgrUaKAnRhab3zsmPFuJwQHG4+vw
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=2246; t=1181932949; x=1182796949; c=relaxed/simple; s=sjdkim1004; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dwing@cisco.com; z=From:=20=22Dan=20Wing=22=20<dwing@cisco.com> |Subject:=20RE=3A=20[EME]=20progress=20on=20EME |Sender:=20; bh=HacN/NKQNAYTGM6c7bWCRz5SWu/u8nq9F74Jnv3NHi0=; b=iCbTgIznLRk8de7cxd3poZaSyH2l7aufuzSFjuPj+KXbYLdaUjE0AcMwcxmXcaEYT7Y/cnYe 1ibh3Si2JTRap3bnracQCi80yDuw31idZGjMNvk5n/abUC8YGdXhV08UZAu1jSjFYSTGrhiq3/ t0kSCcT6VqyIyZT4b2hRgund0=;
Authentication-Results: sj-dkim-1; header.From=dwing@cisco.com; dkim=pass (s ig from cisco.com/sjdkim1004 verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: cab78e1e39c4b328567edb48482b6a69
Cc:
X-BeenThere: eme@irtf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: end-middle-end research group <eme.irtf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/eme>, <mailto:eme-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/eme>
List-Post: <mailto:eme@irtf.org>
List-Help: <mailto:eme-request@irtf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/eme>, <mailto:eme-request@irtf.org?subject=subscribe>
Errors-To: eme-bounces@irtf.org
... > 2. Broadly there is an interesting issue about how to define ACLs > (both in firewalls and endhosts). The NUTSS paper assumes a > 3-tuple of <user,domain,application>, where domain is meant to > be a DNS name, and can be wildcarded, application is meant to be > globally unique, user can be NULL (and doesn't have to represent > a human per se), and where all three are user friendly. The > main question, in my mind at least, is whether domain is the > best basis for ACLs, or whether certificates, for instance, is > better (or, at least, has some better properties). I personally > want to use domain names, given their ubiquity, but the question > is nevertheless interesting, and we should know what we are > giving up, both in terms of security and in terms of > flexibility, by using them. Beyond this, there are questions of > who creates ACLs and where, and what to do when there are > conflicts. This is something the ID doesn't explore, but which > we are beginning to understand is central to the problem. A "HIP ACL" (for lack of a better term) seems perfect. Consider, for example, if I'm trying to establish communications with you -- I know you're francis@cs.cornell.edu, and I'd like to only have communications with you. I'd like some way to tickle my firewall to only allow your communication (and not everyone else on the Internet). So, however that flow is identified as coming from you would be very useful. Doesn't seem to matter much if it's a certificate or a HIP identifier or what. Just that you tell me what that identifier is so that I can tell my firewall(s). IP address isn't adequate due to IP address spoofing and due to NATs which rewrite addresses willy nilly and we don't know which address realm I'm in or you're in or the relationship between those address realms. ... > 5. There was one suggestion that EME be stopped, because > we should be discouraging middleboxes, not making them > easier to deploy. Do share with us the home IP address of whoever made that suggestion so they might be sent a few thousand pps to saturate their access link. (I'm only half joking.) -d _______________________________________________ EME mailing list EME@irtf.org https://www1.ietf.org/mailman/listinfo/eme
- [EME] progress on EME Paul Francis
- [EME] joint meeting with HIP RG at IETF? Paul Francis
- RE: [EME] progress on EME Dan Wing
- RE: [EME] progress on EME Paul Francis
- Re: [EME] joint meeting with HIP RG at IETF? Scott W Brim
- RE: [EME] joint meeting with HIP RG at IETF? Henderson, Thomas R
- RE: [EME] joint meeting with HIP RG at IETF? Paul Francis
- [EME] Is this IMS? Hannes Tschofenig
- RE: [EME] joint meeting with HIP RG at IETF? Paul Francis
- Re: [EME] Is this IMS? Scott W Brim
- Re: [EME] Is this IMS? Hannes Tschofenig