[Hipsec-rg] reverse DNS lookups of HITs
thomas.r.henderson at boeing.com (Henderson, Thomas R) Mon, 12 January 2009 22:46 UTC
From: "thomas.r.henderson at boeing.com"
Date: Mon, 12 Jan 2009 14:46:54 -0800
Subject: [Hipsec-rg] reverse DNS lookups of HITs
In-Reply-To: <E1LMUy5-00069S-00@alva.home>
References: Your message of Mon, 12 Jan 2009 23:41:38 +0200. <alpine.LFD.2.00.0901122313150.17180@stargazer.pc.infrahip.net> <E1LMUy5-00069S-00@alva.home>
Message-ID: <77F357662F8BFA4CA7074B0410171B6D07B0BC79@XCH-NW-5V1.nw.nos.boeing.com>
> -----Original Message----- > From: Tim Shepard [mailto:shep at alum.mit.edu] > Sent: Monday, January 12, 2009 2:09 PM > To: Oleg Ponomarev > Cc: Henderson, Thomas R; hipsec-rg at listserv.cybertrust.com > Subject: Re: [Hipsec-rg] reverse DNS lookups of HITs > > > > > > Or, if that turns out to be a bad idea, what are the practical > > > alternatives that allow someone to write domain-name-based ACLs? > > > > > > I think it would be great to gather more input on these types of > > > deployment questions. > > > > Actually I wonder how could I use HITs without reverse > domains, I don't > > want to keep random hex sequences in the memory, but it is > probably just > > my feeling. > > > I view HITs as very similar to SSH host keys. I agree with that. > And just like we have > no need for a network-wide way of looking up an ssh host key to find > out what host it corresponds to, perhaps we can do without any > network-wide way of looking up a HIT (or HI). > I think that for small deployments, this will be adequate. However, for others, particularly those that involve middleboxes or policy-enforcing endboxes that inspect traffic and apply ACLs, I doubt it will be sufficient to work with keys directly. Also, my personal experience with ssh is that it involves a lot of leap-of-faith situations. - Tom
- [Hipsec-rg] meeting minutes posted Henderson, Thomas R
- [Hipsec-rg] reverse DNS lookups of HITs Henderson, Thomas R
- [Hipsec-rg] reverse DNS lookups of HITs Oleg Ponomarev
- [Hipsec-rg] reverse DNS lookups of HITs Miika Komu
- [Hipsec-rg] reverse DNS lookups of HITs Oleg Ponomarev
- [Hipsec-rg] reverse DNS lookups of HITs Andrew McGregor
- [Hipsec-rg] reverse DNS lookups of HITs Oleg Ponomarev
- [Hipsec-rg] reverse DNS lookups of HITs Andrew McGregor
- [Hipsec-rg] reverse DNS lookups of HITs Oleg Ponomarev
- [Hipsec-rg] reverse DNS lookups of HITs Xu Xiaohu
- [Hipsec-rg] reverse DNS lookups of HITs Henderson, Thomas R
- [Hipsec-rg] reverse DNS lookups of HITs Tim Shepard
- [Hipsec-rg] reverse DNS lookups of HITs Oleg Ponomarev
- [Hipsec-rg] reverse DNS lookups of HITs Henderson, Thomas R
- [Hipsec-rg] reverse DNS lookups of HITs Oleg Ponomarev
- [Hipsec-rg] reverse DNS lookups of HITs (was RE: … Henderson, Thomas R
- [Hipsec-rg] meeting minutes posted Oleg Ponomarev
- [Hipsec-rg] meeting minutes posted Henderson, Thomas R
- [Hipsec-rg] meeting minutes posted Oleg Ponomarev
- [Hipsec-rg] meeting minutes posted Henderson, Thomas R
- [Hipsec-rg] reverse DNS lookups of HITs Miika Komu
- [Hipsec-rg] meeting minutes posted Oleg Ponomarev