Re: [Hipsec] New HIP WG charter proposal
Tobias Heer <heer@cs.rwth-aachen.de> Fri, 07 May 2010 08:56 UTC
Return-Path: <heer@informatik.rwth-aachen.de>
X-Original-To: hipsec@core3.amsl.com
Delivered-To: hipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F03203A63EC for <hipsec@core3.amsl.com>; Fri, 7 May 2010 01:56:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.634
X-Spam-Level:
X-Spam-Status: No, score=-2.634 tagged_above=-999 required=5 tests=[AWL=-0.433, BAYES_50=0.001, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y3Yqp8mA7ijy for <hipsec@core3.amsl.com>; Fri, 7 May 2010 01:56:25 -0700 (PDT)
Received: from mta-1.ms.rz.rwth-aachen.de (mta-1.ms.rz.RWTH-Aachen.DE [134.130.7.72]) by core3.amsl.com (Postfix) with ESMTP id E8CA53A6AF5 for <hipsec@ietf.org>; Fri, 7 May 2010 01:56:15 -0700 (PDT)
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-type: text/plain; charset="us-ascii"
Received: from ironport-out-2.rz.rwth-aachen.de ([134.130.5.41]) by mta-1.ms.rz.RWTH-Aachen.de (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008)) with ESMTP id <0L210049EKTD48G0@mta-1.ms.rz.RWTH-Aachen.de> for hipsec@ietf.org; Fri, 07 May 2010 10:56:01 +0200 (CEST)
X-IronPort-AV: E=Sophos;i="4.52,347,1270418400"; d="scan'208";a="29964130"
Received: from relay-auth-1.ms.rz.rwth-aachen.de (HELO relay-auth-1) ([134.130.7.78]) by ironport-in-2.rz.rwth-aachen.de with ESMTP; Fri, 07 May 2010 10:56:02 +0200
Received: from umic-137-226-154-185.nn.rwth-aachen.de ([unknown] [137.226.154.185]) by relay-auth-1.ms.rz.rwth-aachen.de (Sun Java(tm) System Messaging Server 7.0-3.01 64bit (built Dec 9 2008)) with ESMTPA id <0L21005Z7KTDN500@relay-auth-1.ms.rz.rwth-aachen.de> for hipsec@ietf.org; Fri, 07 May 2010 10:56:01 +0200 (CEST)
From: Tobias Heer <heer@cs.rwth-aachen.de>
In-reply-to: <5E24EE17-E367-4CA9-9453-EF3DFF264DFD@nomadiclab.com>
Date: Fri, 07 May 2010 10:57:06 +0200
Message-id: <8F0B7D94-14FC-4F80-B02B-8150BCF561B1@cs.rwth-aachen.de>
References: <4BDBD41E.5030107@ericsson.com> <4BDFE5B7.3020500@oracle.com> <4BE02580.8060808@htt-consult.com> <5E24EE17-E367-4CA9-9453-EF3DFF264DFD@nomadiclab.com>
To: Jan Melen <Jan.Melen@nomadiclab.com>
X-Mailer: Apple Mail (2.1077)
Cc: HIP <hipsec@ietf.org>
Subject: Re: [Hipsec] New HIP WG charter proposal
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 May 2010 08:56:27 -0000
Hi, Am 05.05.2010 um 18:28 schrieb Jan Melen: > Hi, > > To me the new charter looks good. For referrals I don't see any big problems as mentioned already by Miika and Bob we have gained quite a bit experience on how much of an problem the referrals are and according to that experience there is only very few cases where they cannot be made to work, in all other cases the referrals can be resolved through mechanisms described by Bob. I would like to stress that crypto agility might add some more spice to the referral issue because it may lead to transitivity problems caused by namespace fragmentation. Therefore, it is necessary to keep the number of different HIT types (i.e., signature and hash algorithms) really small and the support for the algorithms broad. Otherwise, referrals will require more sophisticated mechanisms like certificates that bind different HITs together. BR, Tobias > > Of course these are issues that need to be documented in architecture and DNS documents > > Regards, > Jan > > On May 4, 2010, at 4:47 PM, Robert Moskowitz wrote: > >> On 05/04/2010 05:15 AM, Erik Nordmark wrote: >>> On 05/ 1/10 12:11 AM, Gonzalo Camarillo wrote: >>>> Hi, >>>> >>>> as you know, we need to recharter the WG in order to move our specs to >>>> the standards track. I have put together a charter proposal (see >>>> attachment). Please, let me know if you have any comments on it. >>> >>> What is the current state of handling applications that do referrals with HIP? Last time I looked there wasn't any useful support for this. >> >> Here is pretty much what we have learned over the past many years... >> >> If the referral is an IP address the following MAY occur: >> >> If the app just issues an http://<addr>/<whatever> the HIP shim MAY perform an opportunistic HIP BEX and if successful proceed with the connection over HIP. If opportunistic failed or was not configured, then the connection will occur "open". That is without HIP. >> >> If the app issues a reverse lookup on <addr> and retrieves a DNS HI record, then again, HIP would be used for the connection. >> >> If the referral is a HIT, then the HIP shim would need some mechanism to perform the HIT to IP lookup. One would have to ASSuME that since a HIT was provided in a referral that a lookup mechanism was provided by the server and hopefully the client will use the 'right one'. One possiblity is DHT. Another is DNS. DNS reverse lookups of HITs is a problem, as they are flat within the ORCHID prefix (well flat within the new concept of HIT suites). This is where Hierarchical HITs MAY be of value. >> >> So the short answer is: referrals work if the referral is an IP address. referrals MAY work if the referral is a HIT. >> >>> >>> I think preserving that part of the Internet architecture is important in whatever we put on the standards track. >> >> We all think this and see regular cases where things work only sometimes. I feel that in HIP we have found that it makes more things work (like IPv4 dumb apps running over IPv6 networks) than it makes things hard. >> >> Perhaps the abouve discussion can be captured in one of the HIP documents if it is already not there. >> >> >> _______________________________________________ >> Hipsec mailing list >> Hipsec@ietf.org >> https://www.ietf.org/mailman/listinfo/hipsec > > _______________________________________________ > Hipsec mailing list > Hipsec@ietf.org > https://www.ietf.org/mailman/listinfo/hipsec -- Dipl.-Inform. Tobias Heer, Ph.D. Student Distributed Systems Group RWTH Aachen University, Germany tel: +49 241 80 207 76 web: http://ds.cs.rwth-aachen.de/members/heer
- [Hipsec] New HIP WG charter proposal Gonzalo Camarillo
- Re: [Hipsec] New HIP WG charter proposal Gonzalo Camarillo
- Re: [Hipsec] New HIP WG charter proposal Erik Nordmark
- Re: [Hipsec] New HIP WG charter proposal Miika Komu
- Re: [Hipsec] New HIP WG charter proposal Robert Moskowitz
- Re: [Hipsec] New HIP WG charter proposal Jan Melen
- Re: [Hipsec] New HIP WG charter proposal Tobias Heer
- Re: [Hipsec] New HIP WG charter proposal Henderson, Thomas R