[Hipsec-rg] Hierarchical HITs

[xuxh at huawei.com (Xu Xiaohu)]

[please skip the previous email]

Oleg.
 
Does every host in HIP architecture need a FQDN? (btw, there  were similar
threads in RRG,see  http://www.ops.ietf.org/lists/rrg/2008/msg02050.html)

If the access control is based on HIT, the firewall maybe need to maintain
an ACL with a huge amount of flat HIT entries. If the access control is
based on domain name , it will need 
to do lookup to resolve each HIT to FQDN in order to determine the domain
name.  Both of them mean a huge burden on firewalls. Besides, the latter
will aslo introduce a DDoS attack risk.

With hierarchical HIT(Adminstrative Domain(AD) ID+ Hash (public key+AD ID)),
the firewall can simply do access control based on the AD ID.

Xiaohu

> -----????-----
> ???: Xu Xiaohu [mailto:xuxh at huawei.com] 
> ????: 2009?1?22? 11:19
> ???: 'Oleg Ponomarev'; 'Zhang Dacheng'
> ??: 'hipsec-rg at listserv.cybertrust.com'
> ??: re: [Hipsec-rg] Hierarchical HITs
> 
> 
> > Once again, we already have hierarchical identities (e.g. 
> > domain names) and I do not see the reasons to introduce yet another 
> > hierarchical space.
> > Of course, this is just my opinion.
> 
> Oleg.
> 
> Does every host in HIP architecture need a FQDN? (btw, there 
> were similar threads n RRG,see 
> http://www.ops.ietf.org/lists/rrg/2008/msg02050.html)
> 
> If the access control is based on HIT, the firewall needs to 
> maintain an ACL with a huge amount of flat HIT entries. Both 
> of them mean a huge burden on firewalls. Besides, the former 
> will aslo introduce a DDoS attack risk., when a firewall 
> enforces access control based on domain name , it will need 
> to do lookup to resolve each HIT to FQDN in order to 
> determine its domain name. 
> 
> With hierarchical HIT (Adminstrative Domain(AD) ID+ Hash 
> (public key+AD ID)), the firewall can simply do access 
> control based on the AD ID.
> 
> Xiaohu