[Hipsec-rg] Hierarchical HITs
xuxh at huawei.com (Xu Xiaohu) Thu, 22 January 2009 03:27 UTC
From: "xuxh at huawei.com"
Date: Thu, 22 Jan 2009 11:27:29 +0800
Subject: [Hipsec-rg] Hierarchical HITs
Message-ID: <002b01c97c41$5ad55a60$670c6f0a@china.huawei.com>
[please skip the previous email] Oleg. Does every host in HIP architecture need a FQDN? (btw, there were similar threads in RRG,see http://www.ops.ietf.org/lists/rrg/2008/msg02050.html) If the access control is based on HIT, the firewall maybe need to maintain an ACL with a huge amount of flat HIT entries. If the access control is based on domain name , it will need to do lookup to resolve each HIT to FQDN in order to determine the domain name. Both of them mean a huge burden on firewalls. Besides, the latter will aslo introduce a DDoS attack risk. With hierarchical HIT(Adminstrative Domain(AD) ID+ Hash (public key+AD ID)), the firewall can simply do access control based on the AD ID. Xiaohu > -----????----- > ???: Xu Xiaohu [mailto:xuxh at huawei.com] > ????: 2009?1?22? 11:19 > ???: 'Oleg Ponomarev'; 'Zhang Dacheng' > ??: 'hipsec-rg at listserv.cybertrust.com' > ??: re: [Hipsec-rg] Hierarchical HITs > > > > Once again, we already have hierarchical identities (e.g. > > domain names) and I do not see the reasons to introduce yet another > > hierarchical space. > > Of course, this is just my opinion. > > Oleg. > > Does every host in HIP architecture need a FQDN? (btw, there > were similar threads n RRG,see > http://www.ops.ietf.org/lists/rrg/2008/msg02050.html) > > If the access control is based on HIT, the firewall needs to > maintain an ACL with a huge amount of flat HIT entries. Both > of them mean a huge burden on firewalls. Besides, the former > will aslo introduce a DDoS attack risk., when a firewall > enforces access control based on domain name , it will need > to do lookup to resolve each HIT to FQDN in order to > determine its domain name. > > With hierarchical HIT (Adminstrative Domain(AD) ID+ Hash > (public key+AD ID)), the firewall can simply do access > control based on the AD ID. > > Xiaohu
- [Hipsec-rg] 答复: Hierarchical HITs Zhang Dacheng
- [Hipsec-rg] Hierarchical HITs Samu Varjonen
- [Hipsec-rg] Hierarchical HITs Andrew McGregor
- [Hipsec-rg] Hierarchical HITs Xu Xiaohu
- [Hipsec-rg] Hierarchical HITs Xu Xiaohu