[Hipsec-rg] reverse DNS lookups of HITs

thomas.r.henderson at boeing.com (Henderson, Thomas R) Tue, 13 January 2009 16:15 UTC

From: "thomas.r.henderson at boeing.com"
Date: Tue, 13 Jan 2009 08:15:11 -0800
Subject: [Hipsec-rg] reverse DNS lookups of HITs
In-Reply-To: <BC5BEFD4-1EFC-43DB-BD37-55E12F00408E@indranet.co.nz>
References: <E1LMUy5-00069S-00@alva.home> <alpine.LFD.2.00.0901130935560.17180@stargazer.pc.infrahip.net> <BC5BEFD4-1EFC-43DB-BD37-55E12F00408E@indranet.co.nz>
Message-ID: <77F357662F8BFA4CA7074B0410171B6D07B0BC7D@XCH-NW-5V1.nw.nos.boeing.com>

 

> >
> >> I think we (myself included) should all go read the FARA 
> paper again:
> >>
> >> FARA: Reorganizing the Addressing Architecture ( the first of 3  
> >> papers at http://www.isi.edu/newarch/fara.html )
> >
> > I guess it would take some time to deploy a solution which 
> requires  
> > new network architecture, when we need something to use now.
> 
> Those papers represent some serious research into the 
> implications of  
> the architecture.  We've implemented something with HIP, but 
> it seems  
> there is disagreement as to the architecture... if reverse 
> lookups are  
> even desirable is an architectural question, after all.  
> Personally, I  
> think there is no need for reverse lookups.
> 

I do not think there is disagreement with the architecture, but perhaps
the service model. I think there is no need for reverse lookups if
entities involved (including third party middleboxes) are handling HITs
directly, or if the HIT to domain name mapping is preconfigured, or if
the systems use other name resolution services than DNS.  However, I
suspect that will not always be the case.

Note that ssh implementations sometimes performs reverse lookups for
host authentication.  What do you see as being different for HIP?

- Tom