[Hipsec-rg] reverse DNS lookups of HITs

[miika.komu at hiit.fi (Miika Komu)]

Henderson, Thomas R wrote:

Hi,

>> -----Original Message-----
>> From: Tim Shepard [mailto:shep at alum.mit.edu] 
>> Sent: Monday, January 12, 2009 2:09 PM
>> To: Oleg Ponomarev
>> Cc: Henderson, Thomas R; hipsec-rg at listserv.cybertrust.com
>> Subject: Re: [Hipsec-rg] reverse DNS lookups of HITs 
>>
>>
>>
>>>> Or, if that turns out to be a bad idea, what are the practical 
>>>> alternatives that allow someone to write domain-name-based ACLs?
>>>>
>>>> I think it would be great to gather more input on these types of
>>>> deployment questions.
>>> Actually I wonder how could I use HITs without reverse 
>> domains, I don't 
>>> want to keep random hex sequences in the memory, but it is 
>> probably just 
>>> my feeling.
>>
>> I view HITs as very similar to SSH host keys.   
> 
> I agree with that.
> 
>> And just like we have
>> no need for a network-wide way of looking up an ssh host key to find
>> out what host it corresponds to, perhaps we can do without any
>> network-wide way of looking up a HIT (or HI).
>>
> 
> I think that for small deployments, this will be adequate.  However, for
> others, particularly those that involve middleboxes or policy-enforcing
> endboxes that inspect traffic and apply ACLs, I doubt it will be
> sufficient to work with keys directly.  Also, my personal experience
> with ssh is that it involves a lot of leap-of-faith situations.

AFAIK, hip4inter.net supports opportunistic mode at the sockets layer 
(as well as OpenHIP?). HIPL support it with LD_PRELOAD and iptables. I 
just presented yesterday our experimentation on opportunistic mode:

Miika Komu and Janne Lindqvist, Leap-of-Faith Security is Enough for IP 
Mobility, 6th Annual IEEE Consumer Communications & Networking 
Conference IEEE CCNC 2009, Las Vegas, Nevada, January 2009

I think we still need to have HI records in DNS and I believe the work 
Oleg has been doing is very valuable.