Re: [Hipsec] HIT to IP in DNS
Oleg Ponomarev <oleg.ponomarev@hiit.fi> Fri, 06 March 2009 12:55 UTC
Return-Path: <oleg.ponomarev@hiit.fi>
X-Original-To: hipsec@core3.amsl.com
Delivered-To: hipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D4C223A685E for <hipsec@core3.amsl.com>; Fri, 6 Mar 2009 04:55:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_14=0.6, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aXW11Wjd5FvY for <hipsec@core3.amsl.com>; Fri, 6 Mar 2009 04:55:34 -0800 (PST)
Received: from felwood.infrahip.net (felwood.infrahip.net [IPv6:2001:708:140:220::3]) by core3.amsl.com (Postfix) with ESMTP id 115A53A67D2 for <hipsec@ietf.org>; Fri, 6 Mar 2009 04:55:32 -0800 (PST)
Received: from stargazer.pc.infrahip.net (stargazer.pc.infrahip.net [IPv6:2001:708:140:220:215:60ff:fe9f:60c4]) by felwood.infrahip.net (8.14.2/8.14.2) with ESMTP id n26Ctugw002544; Fri, 6 Mar 2009 14:55:57 +0200
Date: Fri, 06 Mar 2009 14:55:56 +0200
From: Oleg Ponomarev <oleg.ponomarev@hiit.fi>
X-X-Sender: ponomare@stargazer.pc.infrahip.net
To: "Henderson, Thomas R" <thomas.r.henderson@boeing.com>
In-Reply-To: <77F357662F8BFA4CA7074B0410171B6D07B0BCD6@XCH-NW-5V1.nw.nos.boeing.com>
Message-ID: <alpine.LFD.2.00.0903061424460.9872@stargazer.pc.infrahip.net>
References: <alpine.LFD.2.00.0901200059400.17180@stargazer.pc.infrahip.net> <77F357662F8BFA4CA7074B0410171B6D07B0BCD6@XCH-NW-5V1.nw.nos.boeing.com>
User-Agent: Alpine 2.00 (LFD 1167 2008-08-23)
X-GPG-FINGRPRINT: E94D 632A 70E4 3F92 9A7E B04E 20BF FC6B 983B CA5E
X-GPG-PUBLIC_KEY: http://ponomarev.ru/oleg.asc
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format="flowed"; charset="US-ASCII"
Cc: hipsec@ietf.org
Subject: Re: [Hipsec] HIT to IP in DNS
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Mar 2009 12:55:34 -0000
Hi! On Wed, 21 Jan 2009, Henderson, Thomas R wrote: Apologies for the late reply, I did not have time to update the draft before, but now submitted its new version that is available at http://www.ietf.org/internet-drafts/draft-ponomarev-hip-hit2ip-02.txt This version has much longer discussion about the usage and deployment. > You are really talking about defining domain names based on HITs and > storing them in a well known domain. Maybe the title could be > simplified to "Storing HITs as domain names in the DNS". Right, I changed it to "Embedding Host Identity Tags Data in DNS" > What if the target end system uses an RVS? This is just an interface to HIT->IP database, a rendezvous server may update the mapping with its own interface, but it is not covered in the draft. > 2.1. Preconfigured Domain > The systems using this method MUST have the same domain pre- > configured, for example hit-to-ip.example.net. > > It seems like this could be slightly relaxed to state that systems MUST > share at least one top-level domain storing the HITs, since it is > conceivable that more than one server (name service provider) could be > used, and records could be looked up at multiple places. Ok, I added a usage scenario with multiple independent mapping services. > 2.4 Managing the Records > The system MAY send DNS UPDATE[RFC2136] to the server provided by SOA > MNAME field of the domain. The system MUST use HIT as the source > address in this case. > > Can you clarify what "source address" you are talking about above? Sure, I changed to "The system MAY add or delete A,AAAA,PTR,CNAME records for its own HIT representation.The update MUST then originate from the corresponding HIT". > The system MAY add or delete A/AAAA or CNAME > records for its own HIT representation. The domain provided in SOA > MNAME field of the preconfigured domain MUST have Host Identity of > the server stored in DNS, the IP addresses MUST be listed in that > domain using suggested method and the server MUST accept DNS UPDATE > messages, which add or delete A/AAAA or CNAME records for the HIT > representation of the client after successfull HIP base exchange. > > It might be helpful to clarify that the HIP base exchange here serves to > authenticate the origin of the DNS UPDATE, from the server's > perspective. Added. > Also, DHTs are an alternative lookup mechanism that can be used in this > scenario; it would be helpful to reference that draft: > http://tools.ietf.org/html/draft-ahrenholz-hiprg-dht-03 Thanks for you feedback and for this tip, I wanted to mention DHT, but could not find this ID in the archive of hip-related drafts. Would it make sense to show "*-hiprg-*" on the HIP WG page as well? AFAIK extended mapping of Internet Drafts (by name) to WG was implemented recently. -- Regards, Oleg.
- [Hipsec] HIT to IP in DNS Oleg Ponomarev
- Re: [Hipsec] HIT to IP in DNS Henderson, Thomas R
- Re: [Hipsec] HIT to IP in DNS Oleg Ponomarev