IETF Logo Mail Archive

Re: [Hipsec] WGLC: draft-ietf-hip-reload-instance-00

Ari Keranen <ari.keranen@nomadiclab.com> Tue, 02 March 2010 08:36 UTC

Return-Path: <ari.keranen@nomadiclab.com>
X-Original-To: hipsec@core3.amsl.com
Delivered-To: hipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B62C23A863F for <hipsec@core3.amsl.com>; Tue, 2 Mar 2010 00:36:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UCAWHshT7OuS for <hipsec@core3.amsl.com>; Tue, 2 Mar 2010 00:36:55 -0800 (PST)
Received: from gw.nomadiclab.com (n2.nomadiclab.com [IPv6:2001:14b8:400:101::2]) by core3.amsl.com (Postfix) with ESMTP id 707A23A70E2 for <hipsec@ietf.org>; Tue, 2 Mar 2010 00:36:55 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by gw.nomadiclab.com (Postfix) with ESMTP id 225C54E6D7; Tue, 2 Mar 2010 10:36:55 +0200 (EET)
X-Virus-Scanned: amavisd-new at nomadiclab.com
Received: from gw.nomadiclab.com ([127.0.0.1]) by localhost (inside.nomadiclab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h9249RYjyEol; Tue, 2 Mar 2010 10:36:54 +0200 (EET)
Received: from [IPv6:2001:14b8:400:101:21c:23ff:fe45:a6c1] (unknown [IPv6:2001:14b8:400:101:21c:23ff:fe45:a6c1]) by gw.nomadiclab.com (Postfix) with ESMTP id 79AFE4E6C3; Tue, 2 Mar 2010 10:36:54 +0200 (EET)
Message-ID: <4B8CCE26.7010104@nomadiclab.com>
Date: Tue, 02 Mar 2010 10:36:54 +0200
From: Ari Keranen <ari.keranen@nomadiclab.com>
User-Agent: Thunderbird 2.0.0.23 (X11/20090817)
MIME-Version: 1.0
To: "Henderson, Thomas R" <thomas.r.henderson@boeing.com>
References: <4B5F07F6.7080800@ericsson.com> <7CC566635CFE364D87DC5803D4712A6C4C1F48A7C0@XCH-NW-10V.nw.nos.boeing.com > <4B83F243.6070208@nomadiclab.com> <7CC566635CFE364D87DC5803D4712A6C4C1F48A7D1@XCH-NW-10V.nw.nos.boeing.com> <4B8689B0.50704@nomadiclab.com> <7CC566635CFE364D87DC5803D4712A6C4C1F48A7FF@XCH-NW-10V.nw.nos.boeing.com> <4B877153.10908@nomadiclab.com> <7CC566635CFE364D87DC5803D4712A6C4C1F48A81E@XCH-NW-10V.nw.nos.boeing.com> <4B8BF48E.2060301@nomadiclab.com> <7CC566635CFE364D87DC5803D4712A6C4C1F48A831@XCH-NW-10V.nw.nos.boeing.com>
In-Reply-To: <7CC566635CFE364D87DC5803D4712A6C4C1F48A831@XCH-NW-10V.nw.nos.boeing.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: HIP <hipsec@ietf.org>
Subject: Re: [Hipsec] WGLC: draft-ietf-hip-reload-instance-00
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Mar 2010 08:36:56 -0000

Henderson, Thomas R wrote:
>>> I think we should really explore this idea more but let's4
>> do so in the more RFC4423bis context as discussed in the other
>> thread.  I wasn't objecting to the idea per se, but just that we
>> should not slip it into this draft if it is not really recognized
>> as a part of HIP today.
>> 
>> Actually, we used to have a milestone about this in the charter,
>> but it was removed last July when the WG's conclusion was that 
>> transformations would be context specific. So, this already is
>> recognized as part of the HIP today.
> 
> Can you point me to a document that shows where this is recognized as
> part of HIP today?

The WG overlay documents, HIP BONE and RELOAD instance, have reflected 
this. Yes, they are not RFCs, but my point was that this is nothing we 
have introduced here out of the blue.

>>> I see pros and cons to non-ORCHID HITs: - pro:  can be designed
>>> to be hierarchical or formatted as
>> needed.  Can they even be IPv6 addresses?
>>> - con:  HITs are no longer unique.  It is really the
>> certificate which is the unique identifier.
>>> It does seem more flexible and may have deployment
>> advantages.  Does it solve the ACL problem with current HITs (that
>> they are non-aggregatable)?  It could lead to aggregatable HITs but
>> then the ACL will need to know the authorizing enrollment server
>> for those HITs, and check CERTs.
>> 
>> These questions are good to be explored on RFC4423bis, but we don't
>> need the answers to proceed with the RELOAD instance spec, so I
>> would not delay the instance spec by making it depend on
>> RFC4423bis.
>> 
>> Anyhow, we are not changing anything fundamental in HIP, and having
>> this property we can make HIP meet the different requirements that
>> people building overlays have.
>> 
> 
> I disagree that this changes anything fundamental:  RFC5201, section
> 3.1: 3.1.  Host Identity Tag (HIT)
> 
> The Host Identity Tag is a 128-bit value -- a hashed encoding of the 
> Host Identifier.

OK, that's true, only the "ORCHID mode" identifiers are strictly HITs in 
that sense so we could call the generic RELOAD mode IDs something else. 
Perhaps RITs?

> I am not opposed to relaxing this in principle but I do not recall
> that we have agreed on how to do this.

When we removed the generic transformation milestone from the charter, 
the conclusion was that the transformation (or Node ID generation) would 
be done in different ways depending on the peer protocol and thus better 
defined in the instance specs. And that's what the RELOAD instance spec 
now does. Also, if the ID is generated as the RELOAD draft proposes (SHA 
of the public key; which you could use also as the the Host ID), it 
actually even fits nicely to the definition of HIT.


Cheers,
Ari

v2.23.0 | Report a Bug | By Email