[Hipsec-rg] Hierarchical HITs
samu.varjonen at helsinki.fi (Samu Varjonen) Thu, 22 January 2009 06:20 UTC
From: "samu.varjonen at helsinki.fi"
Date: Thu, 22 Jan 2009 08:20:09 +0200
Subject: [Hipsec-rg] Hierarchical HITs
In-Reply-To: <6E14FE72-1FFF-4B21-840C-59C0061FFC7E@indranet.co.nz>
References: <002b01c97c41$5ad55a60$670c6f0a@china.huawei.com> <6E14FE72-1FFF-4B21-840C-59C0061FFC7E@indranet.co.nz>
Message-ID: <49781019.9010504@helsinki.fi>
Andrew McGregor kirjoitti: > But you are just describing the internal workings of a certificate. So > why dos the HIP certificates work not suffice? > Yes, simple certificate stating that this HI belongs to the signers domain, carried in CERT parameter, would suffice for the ACL purposes at least in my opinion. > On 22/01/2009, at 16:27, Xu Xiaohu <xuxh at huawei.com> wrote: > >> [please skip the previous email] >> >> Oleg. >> >> Does every host in HIP architecture need a FQDN? (btw, there were >> similar >> threads in RRG,see http://www.ops.ietf.org/lists/rrg/2008/msg02050.html) >> >> If the access control is based on HIT, the firewall maybe need to >> maintain >> an ACL with a huge amount of flat HIT entries. If the access control is >> based on domain name , it will need >> to do lookup to resolve each HIT to FQDN in order to determine the domain >> name. Both of them mean a huge burden on firewalls. Besides, the latter >> will aslo introduce a DDoS attack risk. >> >> With hierarchical HIT(Adminstrative Domain(AD) ID+ Hash (public key+AD >> ID)), >> the firewall can simply do access control based on the AD ID. >> >> Xiaohu >> >>> -----????----- >>> ???: Xu Xiaohu [mailto:xuxh at huawei.com] >>> ????: 2009?1?22? 11:19 >>> ???: 'Oleg Ponomarev'; 'Zhang Dacheng' >>> ??: 'hipsec-rg at listserv.cybertrust.com' >>> ??: re: [Hipsec-rg] Hierarchical HITs >>> >>> >>>> Once again, we already have hierarchical identities (e.g. >>>> domain names) and I do not see the reasons to introduce yet another >>>> hierarchical space. >>>> Of course, this is just my opinion. >>> >>> Oleg. >>> >>> Does every host in HIP architecture need a FQDN? (btw, there >>> were similar threads n RRG,see >>> http://www.ops.ietf.org/lists/rrg/2008/msg02050.html) >>> >>> If the access control is based on HIT, the firewall needs to >>> maintain an ACL with a huge amount of flat HIT entries. Both >>> of them mean a huge burden on firewalls. Besides, the former >>> will aslo introduce a DDoS attack risk., when a firewall >>> enforces access control based on domain name , it will need >>> to do lookup to resolve each HIT to FQDN in order to >>> determine its domain name. >>> >>> With hierarchical HIT (Adminstrative Domain(AD) ID+ Hash >>> (public key+AD ID)), the firewall can simply do access >>> control based on the AD ID. >>> >>> Xiaohu >> >> _______________________________________________ >> Hipsec-rg mailing list >> Hipsec-rg at listserv.cybertrust.com >> https://listserv.cybertrust.com/mailman/listinfo/hipsec-rg > _______________________________________________ > Hipsec-rg mailing list > Hipsec-rg at listserv.cybertrust.com > https://listserv.cybertrust.com/mailman/listinfo/hipsec-rg -- BR, Samu "Programmer is an organism that changes caffeine into code"
- [Hipsec-rg] 答复: Hierarchical HITs Zhang Dacheng
- [Hipsec-rg] Hierarchical HITs Samu Varjonen
- [Hipsec-rg] Hierarchical HITs Andrew McGregor
- [Hipsec-rg] Hierarchical HITs Xu Xiaohu
- [Hipsec-rg] Hierarchical HITs Xu Xiaohu