Re: [Hipsec] HIT to IP in DNS

"Henderson, Thomas R" <thomas.r.henderson@boeing.com> Wed, 21 January 2009 16:10 UTC

Return-Path: <hipsec-bounces@ietf.org>
X-Original-To: hip-archive@lists.ietf.org
Delivered-To: ietfarch-hip-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3B2243A6BE7; Wed, 21 Jan 2009 08:10:24 -0800 (PST)
X-Original-To: hipsec@core3.amsl.com
Delivered-To: hipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7A31028C154 for <hipsec@core3.amsl.com>; Wed, 21 Jan 2009 08:10:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.689
X-Spam-Level:
X-Spam-Status: No, score=-5.689 tagged_above=-999 required=5 tests=[AWL=0.910, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dmyapImqcB+7 for <hipsec@core3.amsl.com>; Wed, 21 Jan 2009 08:10:17 -0800 (PST)
Received: from stl-smtpout-01.boeing.com (stl-smtpout-01.boeing.com [130.76.96.56]) by core3.amsl.com (Postfix) with ESMTP id 860513A699F for <hipsec@ietf.org>; Wed, 21 Jan 2009 08:10:17 -0800 (PST)
Received: from blv-av-01.boeing.com (blv-av-01.boeing.com [130.247.48.231]) by stl-smtpout-01.ns.cs.boeing.com (8.14.0/8.14.0/8.14.0/SMTPOUT) with ESMTP id n0LG9lWq011027 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Wed, 21 Jan 2009 10:09:48 -0600 (CST)
Received: from blv-av-01.boeing.com (localhost [127.0.0.1]) by blv-av-01.boeing.com (8.14.0/8.14.0/DOWNSTREAM_RELAY) with ESMTP id n0LG9kk6014982; Wed, 21 Jan 2009 08:09:46 -0800 (PST)
Received: from XCH-NWBH-11.nw.nos.boeing.com (xch-nwbh-11.nw.nos.boeing.com [130.247.55.84]) by blv-av-01.boeing.com (8.14.0/8.14.0/UPSTREAM_RELAY) with ESMTP id n0LG9jQ1014893; Wed, 21 Jan 2009 08:09:46 -0800 (PST)
Received: from XCH-NW-5V1.nw.nos.boeing.com ([130.247.55.44]) by XCH-NWBH-11.nw.nos.boeing.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 21 Jan 2009 08:09:35 -0800
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Wed, 21 Jan 2009 08:09:34 -0800
Message-ID: <77F357662F8BFA4CA7074B0410171B6D07B0BCD6@XCH-NW-5V1.nw.nos.boeing.com>
In-Reply-To: <alpine.LFD.2.00.0901200059400.17180@stargazer.pc.infrahip.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Hipsec] HIT to IP in DNS
Thread-Index: Acl6i7U8OYR9FCdDQ1S1+W33gCAO4wBVG4Fg
References: <alpine.LFD.2.00.0901200059400.17180@stargazer.pc.infrahip.net>
From: "Henderson, Thomas R" <thomas.r.henderson@boeing.com>
To: "Oleg Ponomarev" <oleg.ponomarev@hiit.fi>, <hipsec@ietf.org>
X-OriginalArrivalTime: 21 Jan 2009 16:09:35.0328 (UTC) FILETIME=[A71CD600:01C97BE2]
Subject: Re: [Hipsec] HIT to IP in DNS
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/hipsec>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: hipsec-bounces@ietf.org
Errors-To: hipsec-bounces@ietf.org Hi Oleg,

A few comments below.

> -----Original Message-----
> From: Oleg Ponomarev [mailto:oleg.ponomarev@hiit.fi] 
> Sent: Monday, January 19, 2009 3:14 PM
> To: hipsec@ietf.org
> Subject: [Hipsec] HIT to IP in DNS
> 
> Hi!
> 
> I just submitted an initial version of a draft[1] to specify 
> one of the 
> methods used in HIPL[2] to do the HIT->current IP addresses 
> resolution. 
> This is needed to run legacy applications.

I disagree that this is strictly needed to run legacy applications.
Perhaps "may be useful" instead of "needed"?

> 
> Briefly: query A/AAAA 
> 8.7.6.5.4.3.2.1.0.f.e.d.c.b.a.9.8.7.6.5.4.3.2.1.0.1. 
> 0.0.1.0.0.2.hit-to-ip.example.net. and allow their changes from the 
> corresponding HIT.
> 
> Your comments are appreciated as usual.

You are really talking about defining domain names based on HITs and
storing them in a well known domain.  Maybe the title could be
simplified to "Storing HITs as domain names in the DNS".

What if the target end system uses an RVS?  

   2.1. Preconfigured Domain
   The systems using this method MUST have the same domain pre-
   configured, for example hit-to-ip.example.net.  

It seems like this could be slightly relaxed to state that systems MUST
share at least one top-level domain storing the HITs, since it is
conceivable that more than one server (name service provider) could be
used, and records could be looked up at multiple places.

   2.4  Managing the Records
   The system MAY send DNS UPDATE[RFC2136] to the server provided by SOA
   MNAME field of the domain.  The system MUST use HIT as the source
   address in this case.  

Can you clarify what "source address" you are talking about above?

   The system MAY add or delete A/AAAA or CNAME
   records for its own HIT representation.  The domain provided in SOA
   MNAME field of the preconfigured domain MUST have Host Identity of
   the server stored in DNS, the IP addresses MUST be listed in that
   domain using suggested method and the server MUST accept DNS UPDATE
   messages, which add or delete A/AAAA or CNAME records for the HIT
   representation of the client after successfull HIP base exchange.

It might be helpful to clarify that the HIP base exchange here serves to
authenticate the origin of the DNS UPDATE, from the server's
perspective.

Also, DHTs are an alternative lookup mechanism that can be used in this
scenario; it would be helpful to reference that draft:
http://tools.ietf.org/html/draft-ahrenholz-hiprg-dht-03

- Tom
_______________________________________________
Hipsec mailing list
Hipsec@ietf.org
https://www.ietf.org/mailman/listinfo/hipsec