Protocol type for HIP -- was -- Re: [Hipsec] Moving the base spec forward
pekka.nikander@nomadiclab.com (Pekka Nikander) Tue, 14 September 2004 06:26 UTC
From: pekka.nikander@nomadiclab.com
Date: Tue, 14 Sep 2004 06:26:00 +0000
Subject: Protocol type for HIP -- was -- Re: [Hipsec] Moving the base spec forward
In-Reply-To: <4145F2A3.5030204@acm.org>
References: <20040911232318.87825.qmail@web81205.mail.yahoo.com> <23ADD52E-057C-11D9-A8F6-000D9331AFB0@nomadiclab.com> <4145F2A3.5030204@acm.org>
Message-ID: <A7D27E86-0641-11D9-82B1-000D9331AFB0@nomadiclab.com>
X-Date: Tue Sep 14 06:26:00 2004
> I strongly disagree with this. Let's backtrack a little bit here. In > the > past (and present) we have used the socket quadruple to demux different > connection. The assumption was that the quad will not change after > connection setup. With mobility and multi homing, the IP address > change, > so we need a new mechanism to demux different connections. You are > achieving this through SPIs. No, we are not achieving this through SPIs. We are achieving this through using the HITs in the socket and the pseudo-header, as Tom already wrote. There rest, like using SPIs as a shorthand, is details, and not important from the highest architectural-level point of view. The rest of your argument doesn't hold, as it looks at the situation from a very different point of view. While your viewpoint is true for many of the current implementations, it misses the architectural change. > Also, if you want to support multicast using HIP, you will need yet > another key exchange--substantially different from HIP key exchange. > Are you proposing to use another protocol-type for multicast key > exchange. Of course not. There are more than enough space for extensions in the current HIP protocol. > And yes, you can multiplex all of them on the same protocol > type, but then it will be my turn to cry the complexity wolf. I still hold the opinion that architectural complexity is well measured by the number of LOC needed to implement it. (With some caveat emptors, of course, like not accepting ugly code.) As you add more features, you need more code. If your new protocols can benefit from existing infrastructure, in a clean way, then you can save in terms of LOC. In other words, I don't buy you argument that implementing different kinds of control protocols within a layer 3.5 control protocol is necessarily bad design and leads to complexity. Using TCP or UDP demuxing may lead to architecturally worse complexity, like necessitating built-in port based policy rules. > To me, architecturally it seems cleaner to keep the SA management > (i.e., > 3.5 layer management) separate from the 3.5 layer itself. HIP key > exchange is a 3.5 layer manager, and there is no need to mix it with > the > 3.5 demuxing layer itself--which you achieve through SPI. This is a fundamental difference in opinions. Some people hold the opinion that it is better to have separate control protocols and separate data traffic protocols, like in the telephone networks. Some people think that it is better to have in-band signalling, like in TCP. I guess my opinion is somewhere in the middle ground. Especially, I think that Layer N signalling should not depend on Layer N+K protocols for any K>0. Consequently, Layer N signalling is always either in-band at layer N, or directly at Layer N+1. (You can read the comment above that IKE, with is use of UDP, is badly designed.) Another issue here is, again, middle boxes. Having the control protocol on a separate protocol number makes it easier to separate data traffic and control traffic on a middle box. No need to look inside ESP, TCP or UDP, and therefore simpler fast path. >>> IKE is implemented on UDP for a good reason. Out of curiosity, what are those good reasons? > http://www.ietf.org/internet-drafts/draft-moskowitz-hip-arch-06.txt? > Isn't this draft in RFC queue right now? -05 was, but was pulled back for a number of reasons. The current plan is to resubmit -07. --Pekka
- [Hipsec] Moving the base spec forward Pekka Nikander
- [Hipsec] Re: Moving the base spec forward Gonzalo Camarillo
- [Hipsec] Moving the base spec forward Yogesh Prem Swami
- [Hipsec] Moving the base spec forward Yogesh Prem Swami
- [Hipsec] Moving the base spec forward Pekka Nikander
- [Hipsec] Moving the base spec forward Pekka Nikander
- [Hipsec] Moving the base spec forward Miika Komu
- HIP and IKE -- was -- Re: [Hipsec] Moving the bas… Yogesh Prem Swami
- Protocol type for HIP -- was -- Re: [Hipsec] Movi… Yogesh Prem Swami
- Cookie mechanism -- was -- Re: [Hipsec] Moving th… Yogesh Prem Swami
- Last e-mail in this thread -- was -- Re: [Hipsec]… Yogesh Prem Swami
- HIP and IKE -- was -- Re: [Hipsec] Moving the bas… Pekka Nikander
- Cookie mechanism -- was -- Re: [Hipsec] Moving th… Pekka Nikander
- HIP and IKE -- was -- Re: [Hipsec] Moving the bas… Jari Arkko
- Protocol type for HIP -- was -- Re: [Hipsec] Movi… Pekka Nikander
- Protocol type for HIP -- was -- Re: [Hipsec] Movi… Yogesh Prem Swami
- HIP and IKE -- was -- Re: [Hipsec] Moving the bas… Michael Richardson
- Protocol type for HIP -- was -- Re: [Hipsec] Movi… Pekka Nikander
- HIP and IKE -- was -- Re: [Hipsec] Moving the bas… Pekka Nikander
- HIP and IKE -- was -- Re: [Hipsec] Moving the bas… Yogesh Prem Swami
- HIP and IKE -- was -- Re: [Hipsec] Moving the bas… Michael Richardson
- HIP and IKE -- was -- Re: [Hipsec] Moving the bas… Michael Richardson
- HIP and IKE -- was -- Re: [Hipsec] Moving the bas… Michael Richardson
- HIP and IKE -- was -- Re: [Hipsec] Moving the bas… Michael Richardson
- HIP and IKE -- was -- Re: [Hipsec] Moving the bas… Yogesh Prem Swami
- HIP and IKE -- was -- Re: [Hipsec] Moving the bas… Petri Jokela
- HIP and IKE -- was -- Re: [Hipsec] Moving the bas… Miika Komu
- HIP and IKE -- was -- Re: [Hipsec] Moving the bas… Pekka Nikander
- HIP and IKE -- was -- Re: [Hipsec] Moving the bas… Yogesh Prem Swami
- HIP and IKE -- was -- Re: [Hipsec] Moving the bas… Pekka Nikander
- HIP and IKE -- was -- Re: [Hipsec] Moving the bas… Miika Komu
- HIP and IKE -- was -- Re: [Hipsec] Moving the bas… Miika Komu
- HIP and IKE -- was -- Re: [Hipsec] Moving the bas… Pekka Nikander
- HIP and IKE -- was -- Re: [Hipsec] Moving the bas… Yogesh Prem Swami