[Hipsec-rg] Hierarchical HITs
xuxh at huawei.com (Xu Xiaohu) Thu, 22 January 2009 03:18 UTC
From: "xuxh at huawei.com"
Date: Thu, 22 Jan 2009 11:18:35 +0800
Subject: [Hipsec-rg] Hierarchical HITs
In-Reply-To: <alpine.LFD.2.00.0901211611160.17180@stargazer.pc.infrahip.net>
Message-ID: <002a01c97c40$1d05f290$670c6f0a@china.huawei.com>
> Once again, we already have hierarchical identities (e.g. > domain names) and I do not see the reasons to introduce yet > another hierarchical space. > Of course, this is just my opinion. Oleg. Does every host in HIP architecture need a FQDN? (btw, there were similar threads n RRG,see http://www.ops.ietf.org/lists/rrg/2008/msg02050.html) If the access control is based on HIT, the firewall needs to maintain an ACL with a huge amount of flat HIT entries. Both of them mean a huge burden on firewalls. Besides, the former will aslo introduce a DDoS attack risk., when a firewall enforces access control based on domain name , it will need to do lookup to resolve each HIT to FQDN in order to determine its domain name. With hierarchical HIT (Adminstrative Domain(AD) ID+ Hash (public key+AD ID)), the firewall can simply do access control based on the AD ID. Xiaohu
- [Hipsec-rg] Hierarchical HITs Xu Xiaohu
- [Hipsec-rg] 答复: Key Revocation Issue Zhang Dacheng
- [Hipsec-rg] Key Revocation Issue Henderson, Thomas R
- [Hipsec-rg] re: 答复: 答复: Key Revocation Issue Xu Xiaohu
- [Hipsec-rg] 答复: 答复: Key Revocation Issue Andrew McGregor
- [Hipsec-rg] 答复: 答复: Key Revocation Issue Zhang Dacheng
- [Hipsec-rg] 答复: Key Revocation Issue Scott Brim
- [Hipsec-rg] 答复: Key Revocation Issue Zhang Dacheng
- [Hipsec-rg] Hierarchical HITs JiangSheng 66104
- [Hipsec-rg] Key Revocation Issue Oleg Ponomarev
- [Hipsec-rg] Hierarchical HITs Oleg Ponomarev
- [Hipsec-rg] 答复: Key Revocation Issue Zhang Dacheng
- [Hipsec-rg] 答复: Key Revocation Issue Zhang Dacheng
- [Hipsec-rg] Key Revocation Issue Miika Komu
- [Hipsec-rg] Key Revocation Issue Zhang Dacheng
- [Hipsec-rg] 答复: Hierarchical HITs Zhang Dacheng
- [Hipsec-rg] 答复: Hierarchical HITs Teemu Koponen
- [Hipsec-rg] Hierarchical HITs JiangSheng 66104
- [Hipsec-rg] Hierarchical HITs Oleg Ponomarev
- [Hipsec-rg] 答复: Hierarchical HITs Zhang Dacheng
- [Hipsec-rg] Hierarchical HITs JiangSheng 66104
- [Hipsec-rg] Hierarchical HITs Julien Laganier
- [Hipsec-rg] Hierarchical HITs Julien Laganier
- [Hipsec-rg] 答复: Hierarchical HITs Julien Laganier
- [Hipsec-rg] Hierarchical HITs Oleg Ponomarev
- [Hipsec-rg] 答复: Hierarchical HITs Sheng Jiang
- [Hipsec-rg] 答复: 答复: Hierarchical HITs Sheng Jiang
- [Hipsec-rg] 答复: Hierarchical HITs Sheng Jiang
- [Hipsec-rg] Hierarchical HITs Oleg Ponomarev
- [Hipsec-rg] Hierarchical HITs (Was: reverse DNS l… JiangSheng 66104
- [Hipsec-rg] Key Revocation Issue Zhang Dacheng
- [Hipsec-rg] Key Revocation Issue Henderson, Thomas R