[Hipsec-rg] Hierarchical HITs
andrew at indranet.co.nz (Andrew McGregor) Thu, 22 January 2009 04:10 UTC
From: "andrew at indranet.co.nz"
Date: Thu, 22 Jan 2009 17:10:31 +1300
Subject: [Hipsec-rg] Hierarchical HITs
In-Reply-To: <002b01c97c41$5ad55a60$670c6f0a@china.huawei.com>
References: <002b01c97c41$5ad55a60$670c6f0a@china.huawei.com>
Message-ID: <6E14FE72-1FFF-4B21-840C-59C0061FFC7E@indranet.co.nz>
But you are just describing the internal workings of a certificate. So why dos the HIP certificates work not suffice? On 22/01/2009, at 16:27, Xu Xiaohu <xuxh at huawei.com> wrote: > [please skip the previous email] > > Oleg. > > Does every host in HIP architecture need a FQDN? (btw, there were > similar > threads in RRG,see http://www.ops.ietf.org/lists/rrg/2008/msg02050.html > ) > > If the access control is based on HIT, the firewall maybe need to > maintain > an ACL with a huge amount of flat HIT entries. If the access control > is > based on domain name , it will need > to do lookup to resolve each HIT to FQDN in order to determine the > domain > name. Both of them mean a huge burden on firewalls. Besides, the > latter > will aslo introduce a DDoS attack risk. > > With hierarchical HIT(Adminstrative Domain(AD) ID+ Hash (public key > +AD ID)), > the firewall can simply do access control based on the AD ID. > > Xiaohu > >> -----????----- >> ???: Xu Xiaohu [mailto:xuxh at huawei.com] >> ????: 2009?1?22? 11:19 >> ???: 'Oleg Ponomarev'; 'Zhang Dacheng' >> ??: 'hipsec-rg at listserv.cybertrust.com' >> ??: re: [Hipsec-rg] Hierarchical HITs >> >> >>> Once again, we already have hierarchical identities (e.g. >>> domain names) and I do not see the reasons to introduce yet another >>> hierarchical space. >>> Of course, this is just my opinion. >> >> Oleg. >> >> Does every host in HIP architecture need a FQDN? (btw, there >> were similar threads n RRG,see >> http://www.ops.ietf.org/lists/rrg/2008/msg02050.html) >> >> If the access control is based on HIT, the firewall needs to >> maintain an ACL with a huge amount of flat HIT entries. Both >> of them mean a huge burden on firewalls. Besides, the former >> will aslo introduce a DDoS attack risk., when a firewall >> enforces access control based on domain name , it will need >> to do lookup to resolve each HIT to FQDN in order to >> determine its domain name. >> >> With hierarchical HIT (Adminstrative Domain(AD) ID+ Hash >> (public key+AD ID)), the firewall can simply do access >> control based on the AD ID. >> >> Xiaohu > > _______________________________________________ > Hipsec-rg mailing list > Hipsec-rg at listserv.cybertrust.com > https://listserv.cybertrust.com/mailman/listinfo/hipsec-rg
- [Hipsec-rg] 答复: Hierarchical HITs Zhang Dacheng
- [Hipsec-rg] Hierarchical HITs Samu Varjonen
- [Hipsec-rg] Hierarchical HITs Andrew McGregor
- [Hipsec-rg] Hierarchical HITs Xu Xiaohu
- [Hipsec-rg] Hierarchical HITs Xu Xiaohu