[Hipsec-rg] reverse DNS lookups of HITs

[oleg.ponomarev at hiit.fi (Oleg Ponomarev)]

Hello! On Mon, 12 Jan 2009, Tim Shepard wrote:

I hope it is ok to continue the thread in this mailing list.

>>> Or, if that turns out to be a bad idea, what are the practical
>>> alternatives that allow someone to write domain-name-based ACLs?

One alternative I can imagine is to record the hostname provided by the 
peer during the HIP base exchange and resolve HITs of known peers to those 
hostnames. This would not require any centralized infrastructure, but 
would have lots of drawbacks.


> I view HITs as very similar to SSH host keys.  And just like we have no 
> need for a network-wide way of looking up an ssh host key to find out 
> what host it corresponds to, perhaps we can do without any network-wide 
> way of looking up a HIT (or HI).

I might have a mistaken view, but usually we only check the presence of 
the key in the list of authorized/known keys, so we do not need such a 
lookup.


> I think we (myself included) should all go read the FARA paper again:
>
> FARA: Reorganizing the Addressing Architecture ( the first of 3 papers 
> at http://www.isi.edu/newarch/fara.html )

I guess it would take some time to deploy a solution which requires new 
network architecture, when we need something to use now.

-- 
Regards, Oleg.