IETF Logo Mail Archive

Re: [Hipsec] Selection of LSI address block

"Henderson, Thomas R" <thomas.r.henderson@boeing.com> Fri, 21 August 2009 04:40 UTC

Return-Path: <thomas.r.henderson@boeing.com>
X-Original-To: hipsec@core3.amsl.com
Delivered-To: hipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BA7823A69EE for <hipsec@core3.amsl.com>; Thu, 20 Aug 2009 21:40:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.177
X-Spam-Level:
X-Spam-Status: No, score=-6.177 tagged_above=-999 required=5 tests=[AWL=0.422, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LLD8HKGkDZTX for <hipsec@core3.amsl.com>; Thu, 20 Aug 2009 21:40:13 -0700 (PDT)
Received: from blv-smtpout-01.boeing.com (blv-smtpout-01.boeing.com [130.76.32.69]) by core3.amsl.com (Postfix) with ESMTP id C0C953A6B40 for <hipsec@ietf.org>; Thu, 20 Aug 2009 21:40:12 -0700 (PDT)
Received: from stl-av-01.boeing.com (stl-av-01.boeing.com [192.76.190.6]) by blv-smtpout-01.ns.cs.boeing.com (8.14.0/8.14.0/8.14.0/SMTPOUT) with ESMTP id n7L4dwXv023424 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Thu, 20 Aug 2009 21:39:59 -0700 (PDT)
Received: from stl-av-01.boeing.com (localhost [127.0.0.1]) by stl-av-01.boeing.com (8.14.0/8.14.0/DOWNSTREAM_RELAY) with ESMTP id n7L4dwWN022739; Thu, 20 Aug 2009 23:39:58 -0500 (CDT)
Received: from XCH-NWBH-11.nw.nos.boeing.com (xch-nwbh-11.nw.nos.boeing.com [130.247.55.84]) by stl-av-01.boeing.com (8.14.0/8.14.0/UPSTREAM_RELAY) with ESMTP id n7L4dvN2022728; Thu, 20 Aug 2009 23:39:58 -0500 (CDT)
Received: from XCH-NW-5V1.nw.nos.boeing.com ([130.247.55.44]) by XCH-NWBH-11.nw.nos.boeing.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 20 Aug 2009 21:39:57 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Thu, 20 Aug 2009 21:39:33 -0700
Message-ID: <77F357662F8BFA4CA7074B0410171B6D0A8B7265@XCH-NW-5V1.nw.nos.boeing.com>
In-Reply-To: <4A8DC176.3000608@hiit.fi>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Hipsec] Selection of LSI address block
Thread-Index: Acoh3hdouJ/OuY7eSN6HyUyY1ofU0QAOFBkg
References: <4A8CF111.5010901@hiit.fi> <4A8D2557.4060705@htt-consult.com><77F357662F8BFA4CA7074B0410171B6D0A8B7264@XCH-NW-5V1.nw.nos.boeing.com> <4A8DC176.3000608@hiit.fi>
From: "Henderson, Thomas R" <thomas.r.henderson@boeing.com>
To: miika.komu@hiit.fi, hip WG <hipsec@ietf.org>
X-OriginalArrivalTime: 21 Aug 2009 04:39:57.0685 (UTC) FILETIME=[6FB09250:01CA2219]
Subject: Re: [Hipsec] Selection of LSI address block
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Aug 2009 04:40:15 -0000

 

> -----Original Message-----
> From: Miika Komu [mailto:miika.komu@hiit.fi] 
> Sent: Thursday, August 20, 2009 2:35 PM
> To: hip WG
> Subject: Re: [Hipsec] Selection of LSI address block
> 
> Henderson, Thomas R wrote:
> 
> > For use within a larger scope, such as a site, an address 
> range in an
> > existing private address block might be the best choice.
> > 
> 
> sorry, but I'd disagree on using private address realms for 
> LSI. IMHO, 
> the private address space is the worst choice for three reasons:
> 
> 1) You have to guess which one private address space is 
> unoccupied for NATs.

Yes, I agree that if all private addresses are in use in a site, or one
cannot determine which addresses are likely to be active, then private
space may not be a good choice.  However, many sites where HIP may be
deployed may not otherwise use private space at all.  Also, note that
some applications (e.g. virtual machine monitors) already scan networks
for unused private subnets and start using them once a vacant one is
found.

> 2) Mobility can cause more conflicts with the selection of the LSI 
> prefix selection. Implementations would have to handle dynamic 
> renumbering of the LSI prefix and it would be a mess!

Yes, if you are roaming into unknown networks, this would be a bad
choice.

> 3) Management for LSIs without a fixed prefix would be more 
> complicated 
> for ACLs in legacy apps. It makes the administrators life 
> more complicated.
> 

What kind of ACLs in applications are you thinking of?

> The 1.0.0.0 prefix is the least problematic and 127.0.0.0 is 
> the second 
> best, IMHO.

I agree that if we can obtain a full /8 for LSIs or host identities,
that would be easiest.  I'm not sure 127/8 is preferable to private
space for the reasons Jeff mentioned, but it probably should be tested.
If we were to obtain a smaller prefix such as /16, it probably would
still be OK but would reduce the likelihood that LSIs could easily be
randomly generated (such as using the low order bits of the HIT) without
collisions.

I would be willing to amend my previous statement such as:

For use within a larger scope, such as a site, an address range in an
existing private address block might be the best choice, unless the
host may, in the future, move to or obtain an address on a network 
that uses such private addressing.

Anyway, it is not going to affect interoperability if an implementation
chooses an unused private address block, an unallocated block, or
something like Net1.

Tom

v2.30.2 | Report a Bug | By Email | System Status