[Hipsec] [Hipsec-rg] additional text to HIP legacy apps draft
Miika Komu <miika@iki.fi> Tue, 16 May 2006 21:45 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Fg7Lm-00031A-56; Tue, 16 May 2006 17:45:06 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Fg7Ll-000315-8c for hipsec@ietf.org; Tue, 16 May 2006 17:45:05 -0400
Received: from twilight.cs.hut.fi ([130.233.40.5]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Fg7Lh-0001Ja-Ja; Tue, 16 May 2006 17:45:05 -0400
Received: by twilight.cs.hut.fi (Postfix, from userid 60001) id CF25030D3; Wed, 17 May 2006 00:45:00 +0300 (EEST)
X-Spam-Checker-Version: SpamAssassin 3.1.1-niksula20060321 (2006-03-10) on twilight.cs.hut.fi
X-Spam-Level:
X-Spam-Status: No, score=-1.4 required=5.0 tests=ALL_TRUSTED autolearn=failed version=3.1.1-niksula20060321
X-Spam-Niksula: No
Received: from kekkonen.cs.hut.fi (kekkonen.cs.hut.fi [130.233.41.50]) by twilight.cs.hut.fi (Postfix) with ESMTP id F37A63088; Wed, 17 May 2006 00:44:59 +0300 (EEST)
Received: from localhost (mkomu@localhost) by kekkonen.cs.hut.fi (8.13.4+Sun/8.13.3) with ESMTP id k4GLixio008069; Wed, 17 May 2006 00:44:59 +0300 (EEST)
X-Authentication-Warning: kekkonen.cs.hut.fi: mkomu owned process doing -bs
Date: Wed, 17 May 2006 00:44:59 +0300
From: Miika Komu <miika@iki.fi>
X-X-Sender: mkomu@kekkonen.cs.hut.fi
To: hipsec@ietf.org
Message-ID: <Pine.SOL.4.64.0605170043430.29133@kekkonen.cs.hut.fi>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: a8a20a483a84f747e56475e290ee868e
Cc: hipsec-rg@ietf.org
Subject: [Hipsec] [Hipsec-rg] additional text to HIP legacy apps draft
X-BeenThere: hipsec@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/hipsec>
List-Post: <mailto:hipsec@lists.ietf.org>
List-Help: <mailto:hipsec-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@lists.ietf.org?subject=subscribe>
Errors-To: hipsec-bounces@lists.ietf.org
(Apologies for double copies, used the old list address by accident) Earlier I left the topic "RE: feedback from draft-hip-applications-02" dangling on hipsec-rg list. Let me now return to that topic by providing some more concrete text to the draft. Sorry for crossposting both to WG and RG lists, but the draft is now an official WG item. Comments are welcome, as always. Thomas, feel free modify and adapt the text to the draft. 3.2. Using DNS .. New paragraph: "Return HIP HITs instead of IP addresses": For legacy applications that are not hard coded using IPv4 addresses, it is also possible to return HITs in resolver calls. An advantage of returning a HIT in comparison to returning an LSI is that a HIT is not only a locally created identifier but rather has a global meaning. The drawbacks are mostly related to referrals which are discussed in detail in section <3.4>. Additionally, the resolver implementation has to be careful to return the HITs only when the application requests AF_ANY or AF_INET6 type of addresses. A HIP enabled resolver is expected to return first the HITs and only after that a list of IPv6 addresses, unless the AI_HIP flag is set, as descibed in more detail in section <3.5>. Suggest adding new section 3.4: Referral issues A referral is the case when three or more instances of an application interacts and the first instance communicates with the second instance, and then communicates with the third instances and wishes to tell the third instance how to contact the second instance [B]. In order to maximize backwards compatibility with legacy applications, it is important to consider the type of referrals that applications use. However, maximizing backwards compatibility may have some negative impacts that need to be considered. In this section, we consider four types of referrals: end-point identifiers (HITs), end-point locators (IP addresses) and middlebox locators (rendezvous). Using HITs as referrals may not work with legacy hosts that are not HIP capable as the HITs are not routable. Having routable HITs requires additional infrastructure, such as overlays [C]. In addition, resolving HITs to IP addresses in HIP aware applications requires also extra infrastructure such as DHTs because HITs contain no hierarchical information, which is really required by DNS. A benefit of using HITs at the application layer is that they have a longer expected lifetime than IP addresses in mobile environments. However, there may be middleboxes, such as NATs between the end-points. As a HIT denotes an end-point rather than "middle-point", HITs might be more useful than locators with NATted environments, especially when end-points are mobile and when both communicating end-points are behind NATs. On the other hand, the use of end-point IP addresses as referrals has the quite the opposite benefits and drawbacks to HITs. One benefit of using end-point IP addresses as referrals is that they are backwards compatible even with legacy hosts that are not HIP capable. In addition, they do not require any new infrastructure. As a drawback, the expected lifetime of IP addresses in mobile environments is lower than HITs. Another drawback is that it may be more difficult to disambiquite whether a given IP address belongs to the end-point host or e.g. a NAT middle-box. Using rendezvous IP addresses as referrals does not work with legacy hosts that are not HIP capable. In addition, the rendezvous servers themselves are required as an additional infrastructure. As a benefit, the expected lifetime of this type of referrals is also longer than for end-point addresses in mobile environments. As a second benefit, this case might be useful for establishing opportunistic HIP connection between HIP capable hosts assuming that the rendezvous server has a sufficient supply of locators (one dedicated locator per one responder). When a single rendezvous address is dedicated for a single responder, using rendezvous addresses as referrals may be less ambigious than when using end-point addresses, but more ambiguous than when using HITs. New section "3.5 Enforcing the use of HIP in legacy applications" In general, legacy applications are expected to be HIP unaware. In practice, this means that the source code of the actual application remains unmodified. However, there might be cases when the use of HIP is being enforced by either very minimal changes to the application source code or to the underlying, dynamically loadable resolver libraries. The motivation for doing this is to force the application to establish connections using HIP, or to not to establish them at all [A]. When the application source code can be modified, AI_HIP flag can set to getaddrinfo() resolver call. This way, the application either gets LSIs/HITs or nothing at all. Alternatively, the resolver library can be configured to force the resolver to enforce system specific behaviour when the source code of the application cannot be modified. In this case, the resolver can return either LSIs/HITs or nothing at all. [A] Applying a cryptographic namespace to applications http://portal.acm.org/ft_gateway.cfm?id=1080786&type=pdf&coll=portal&dl=ACM&CFID=76024067&CFTOKEN=9663775 [B] http://www.ietf.org/internet-drafts/draft-nordmark-shim6-esd-00.txt [C] http://www.ambient-networks.org/docs/Host_Identity_Indirection_Infrastructure_Hi3.pdf -- Miika Komu miika@iki.fi http://www.iki.fi/miika/ _______________________________________________ Hipsec-rg mailing list Hipsec-rg@listserv.cybertrust.com https://listserv.cybertrust.com/mailman/listinfo/hipsec-rg _______________________________________________ Hipsec mailing list Hipsec@lists.ietf.org https://www1.ietf.org/mailman/listinfo/hipsec
- [Hipsec] [Hipsec-rg] additional text to HIP legac… Miika Komu
- RE: [Hipsec] [Hipsec-rg] additional text to HIP l… Henderson, Thomas R
- RE: [Hipsec] [Hipsec-rg] additional text to HIP l… Miika Komu
- RE: [Hipsec] [Hipsec-rg] additional text to HIP l… Henderson, Thomas R
- RE: [Hipsec] [Hipsec-rg] additional text to HIP l… Miika Komu