[Hipsec-rg] Hierarchical HITs

xuxh at huawei.com (Xu Xiaohu) Thu, 22 January 2009 03:18 UTC

From: "xuxh at huawei.com"
Date: Thu, 22 Jan 2009 11:18:35 +0800
Subject: [Hipsec-rg] Hierarchical HITs
In-Reply-To: <alpine.LFD.2.00.0901211611160.17180@stargazer.pc.infrahip.net>
Message-ID: <002a01c97c40$1d05f290$670c6f0a@china.huawei.com>

> Once again, we already have hierarchical identities (e.g. 
> domain names) and I do not see the reasons to introduce yet 
> another hierarchical space. 
> Of course, this is just my opinion.


Does every host in HIP architecture need a FQDN? (btw, there were similar
threads n RRG,see http://www.ops.ietf.org/lists/rrg/2008/msg02050.html)

If the access control is based on HIT, the firewall needs to maintain an ACL
with a huge amount of flat HIT entries. Both of them mean a huge burden on
firewalls. Besides, the former will aslo introduce a DDoS attack risk., when
a firewall enforces access control based on domain name , it will need to do
lookup to resolve each HIT to FQDN in order to determine its domain name. 

With hierarchical HIT (Adminstrative Domain(AD) ID+ Hash (public key+AD
ID)), the firewall can simply do access control based on the AD ID.