Re: [Hipsec] Thinking about LSIs
"Henderson, Thomas R" <thomas.r.henderson@boeing.com> Thu, 04 September 2008 20:34 UTC
Return-Path: <hipsec-bounces@ietf.org>
X-Original-To: hip-archive@lists.ietf.org
Delivered-To: ietfarch-hip-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 842A83A6D60; Thu, 4 Sep 2008 13:34:49 -0700 (PDT)
X-Original-To: hipsec@core3.amsl.com
Delivered-To: hipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 38DD73A6A44 for <hipsec@core3.amsl.com>; Thu, 4 Sep 2008 13:34:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J3LQKSdgMXpS for <hipsec@core3.amsl.com>; Thu, 4 Sep 2008 13:34:47 -0700 (PDT)
Received: from stl-smtpout-01.boeing.com (stl-smtpout-01.boeing.com [130.76.96.56]) by core3.amsl.com (Postfix) with ESMTP id 4CB523A6C94 for <hipsec@ietf.org>; Thu, 4 Sep 2008 13:34:47 -0700 (PDT)
Received: from slb-av-01.boeing.com (slb-av-01.boeing.com [129.172.13.4]) by stl-smtpout-01.ns.cs.boeing.com (8.14.0/8.14.0/8.14.0/SMTPOUT) with ESMTP id m84KYcMF025743 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 4 Sep 2008 15:34:47 -0500 (CDT)
Received: from slb-av-01.boeing.com (localhost [127.0.0.1]) by slb-av-01.boeing.com (8.14.0/8.14.0/DOWNSTREAM_RELAY) with ESMTP id m84KYbFJ010075; Thu, 4 Sep 2008 13:34:37 -0700 (PDT)
Received: from XCH-NWBH-11.nw.nos.boeing.com (xch-nwbh-11.nw.nos.boeing.com [130.247.55.84]) by slb-av-01.boeing.com (8.14.0/8.14.0/UPSTREAM_RELAY) with ESMTP id m84KYZ9a010003; Thu, 4 Sep 2008 13:34:37 -0700 (PDT)
Received: from XCH-NW-5V1.nw.nos.boeing.com ([130.247.55.44]) by XCH-NWBH-11.nw.nos.boeing.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 4 Sep 2008 13:34:37 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Thu, 04 Sep 2008 13:34:36 -0700
Message-ID: <77F357662F8BFA4CA7074B0410171B6D07B0B7E3@XCH-NW-5V1.nw.nos.boeing.com>
In-Reply-To: <48C02F56.4030407@htt-consult.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Hipsec] Thinking about LSIs
Thread-Index: AckOwB4MTuND4168QoyYiRtsmKF0CwAC1C7Q
References: <E1KbJ5K-0003Em-00@alva.home> <48C02F56.4030407@htt-consult.com>
From: "Henderson, Thomas R" <thomas.r.henderson@boeing.com>
To: Robert Moskowitz <rgm@htt-consult.com>, hipsec@ietf.org
X-OriginalArrivalTime: 04 Sep 2008 20:34:37.0308 (UTC) FILETIME=[A6032BC0:01C90ECD]
Subject: Re: [Hipsec] Thinking about LSIs
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/hipsec>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: hipsec-bounces@ietf.org
Errors-To: hipsec-bounces@ietf.org
> > > I imagine a program called "hipify" that works much like "socksify", > > but would (I think) be somewhat more complicated than socksify and > > may need to communicate with a daemon running on the local machine > > that is tracking things like DNS answers that have been spoofed into > > LSIs, etc... Anyone else been thinking along these lines? > > > > Exactly what I am thinking. The DNS resolver gets a AAAA record and a > HIT. Something then needs to impose and provide the app with a remote > LSI for things to work. So perhaps there might be a app registration > process into this hipify to limit where the magic is applied. > But more > likely once hipify is enabled, it would be enabled for MOST IPv4 apps. I think what is important to think about is what should be the user and application experience, and how to deploy it and troubleshoot it, and how to manage the policy. Whether it is actually implemented as a socksify approach or as some kind of DNS spoofing mainly should be a question of how you want users/system administrators to deal with it. The existing HIP software can functionally do "hipify" already. I think that HIP is going to have similar issues with IPv6 applications, by the way, and I wonder whether the IESG complaint will still apply. Namely, IPv6 LSIs, and/or the need to substitute LSIs or HITs into the resolution process. Tom _______________________________________________ Hipsec mailing list Hipsec@ietf.org https://www.ietf.org/mailman/listinfo/hipsec
- Re: [Hipsec] Thinking about LSIs Robert Moskowitz
- Re: [Hipsec] Thinking about LSIs Robert Moskowitz
- Re: [Hipsec] Thinking about LSIs Henderson, Thomas R