[Hipsec-rg] reverse DNS lookups of HITs
thomas.r.henderson at boeing.com (Henderson, Thomas R) Thu, 15 January 2009 16:49 UTC
From: "thomas.r.henderson at boeing.com"
Date: Thu, 15 Jan 2009 08:49:05 -0800
Subject: [Hipsec-rg] reverse DNS lookups of HITs
In-Reply-To: <f9f6908d31016.31016f9f6908d@huawei.com>
References: <f808bd0c3515b.3515bf808bd0c@huawei.com><77F357662F8BFA4CA7074B0410171B6D07B0BC7C@XCH-NW-5V1.nw.nos.boeing.com> <f9f6908d31016.31016f9f6908d@huawei.com>
Message-ID: <77F357662F8BFA4CA7074B0410171B6D07B0BCA1@XCH-NW-5V1.nw.nos.boeing.com>
> -----Original Message----- > From: JiangSheng 66104 [mailto:shengjiang at huawei.com] > Sent: Thursday, January 15, 2009 3:05 AM > To: Henderson, Thomas R > Cc: oleg.ponomarev at hiit.fi; > hipsec-rg at listserv.cybertrust.com; brian at cs.auckland.ac.nz; > shengjiang at huawei.com > Subject: Re: RE: [Hipsec-rg] reverse DNS lookups of HITs > > > Regarding your proposal: > > > > For index and resolution purposes, HITs are aggregatable with > > management domain tags of arbitrary bit-length, similar to IPv4 > > addresses under Classless Inter-Domain Routing [RFC4632]. > > ... > > The most important security property of HIT is that it is self- > > certifying (i.e., given a HIT, it is computationally hard to > > find a > > Host Identity key that matches the HIT). Although this document > > limits the hash output to be 94-bit long, it does not affect the > > self > > certifying security property. > > > > It seems to me that this self-certifying property is lost if one > > prepends an unsecured management domain tag. There is nothing > > stoppinga malicious node from using management domain tags of its > > choosing to > > evade ACLs that are based on management domain tags. > > You are right here. > > However, as it is a ongoing proposal, we are planning to > improve this in the future version, by including management > domain tag as a part of input for hash algorthim. This will > bind management domain tag with other security properties, > like what CGA does. Hence, the ACL that are based on > managment domain tags can verify a HHIT (for example, using > trust anchor, etc.) without recording every HIT in its list. > I'm still not convinced about basing ACLs on management domain tags directly. You still need some kind of authorization from the trust anchor to use the management tag. This is likely done with certificates. But in that case, you are free to use whatever name in the certificate as the name in the ACL. For example, let's say you are a middlebox that wants to enforce that only HITs authorized by example.com can access a service. If the HIP base exchange contains a certificate from a suitable trust anchor, one can make the ACLs based on, for example, DNS names with the suffix "example.com". This name can be in the certificate. And then, in policy-enforcement filter, once a session is authenticated, a bypass for the SPIs and HITs involved can be put into the middlebox. If a management domain tag is used instead, I'm not sure you can short cut any of the above steps to authenticate the use of the tag. So, it seems like the proposed HIP Certificate extensions provide a more flexible name space for ACLs. Rather, I see value in having a so-called Type 2 HIT (see old HIP drafts for this terminology) primarily for the use case that Oleg originally raised, to facilitate reverse lookups, but with some scaling and allowance for multiple name service providers to exist. For instance, if we were able to get a reasonably sized prefix allocated from IPv6 space (such as what ULAs received), we could use ~20 to 24 bits for this prefix and ~96 to 100 bits for hash. The 24 bits could probably be divided into something like 8 bits private use and 16 bits public use, and "HIP name service providers" could register for a value in the public bits. Tom
- [Hipsec-rg] Hierarchical HITs Xu Xiaohu
- [Hipsec-rg] Hierarchical HITs Oleg Ponomarev
- [Hipsec-rg] reverse DNS lookups of HITs Henderson, Thomas R
- [Hipsec-rg] Hierarchical HITs (Was: reverse DNS l… Varjonen Samu
- [Hipsec-rg] Hierarchical HITs (Was: reverse DNS l… JiangSheng 66104
- [Hipsec-rg] reverse DNS lookups of HITs JiangSheng 66104
- [Hipsec-rg] reverse DNS lookups of HITs Henderson, Thomas R
- [Hipsec-rg] Hierarchical HITs (Was: reverse DNS l… Oleg Ponomarev
- [Hipsec-rg] reverse DNS lookups of HITs JiangSheng 66104