IETF Logo Mail Archive

RE: HIT and ACLs (was Re: [Int-area] Progress on draft-laganier-ipv6-khi-01.txt

"Henderson, Thomas R" <thomas.r.henderson@boeing.com> Mon, 05 June 2006 17:54 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FnJHv-00063z-Tw; Mon, 05 Jun 2006 13:54:51 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FnJHu-000606-Bz for int-area@ietf.org; Mon, 05 Jun 2006 13:54:50 -0400
Received: from stl-smtpout-01.boeing.com ([130.76.96.56]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FnJHt-0004WZ-0M for int-area@ietf.org; Mon, 05 Jun 2006 13:54:50 -0400
Received: from blv-av-01.boeing.com ([192.42.227.216]) by stl-smtpout-01.boeing.com (8.9.2.MG.10092003/8.8.5-M2) with ESMTP id MAA03134; Mon, 5 Jun 2006 12:54:34 -0500 (CDT)
Received: from XCH-NWBH-11.nw.nos.boeing.com (localhost [127.0.0.1]) by blv-av-01.boeing.com (8.11.3/8.11.3/MBS-AV-LDAP-01) with ESMTP id k55HsYB06347; Mon, 5 Jun 2006 10:54:34 -0700 (PDT)
Received: from XCH-NW-5V1.nw.nos.boeing.com ([130.247.55.44]) by XCH-NWBH-11.nw.nos.boeing.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 5 Jun 2006 10:54:29 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: RE: HIT and ACLs (was Re: [Int-area] Progress on draft-laganier-ipv6-khi-01.txt
Date: Mon, 05 Jun 2006 10:54:29 -0700
Message-ID: <77F357662F8BFA4CA7074B0410171B6D01A2F2E5@XCH-NW-5V1.nw.nos.boeing.com>
In-Reply-To: <e797b443cd9e619a78ac360e503e95b9@it.uc3m.es>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: HIT and ACLs (was Re: [Int-area] Progress on draft-laganier-ipv6-khi-01.txt
Thread-Index: AcaIxMv4WXOwxi0bTluwtFvpnkpMsgAAF0TA
From: "Henderson, Thomas R" <thomas.r.henderson@boeing.com>
To: marcelo bagnulo braun <marcelo@it.uc3m.es>
X-OriginalArrivalTime: 05 Jun 2006 17:54:29.0488 (UTC) FILETIME=[17BFAF00:01C688C9]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: d8ae4fd88fcaf47c1a71c804d04f413d
Cc: Internet Area <int-area@ietf.org>
X-BeenThere: int-area@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/int-area>
List-Post: <mailto:int-area@lists.ietf.org>
List-Help: <mailto:int-area-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@lists.ietf.org?subject=subscribe>
Errors-To: int-area-bounces@lists.ietf.org

 

> -----Original Message-----
> From: marcelo bagnulo braun [mailto:marcelo@it.uc3m.es] 
> Sent: Monday, June 05, 2006 9:21 AM
> To: Henderson, Thomas R
> Cc: Internet Area; Tim Shepard
> Subject: HIT and ACLs (was Re: [Int-area] Progress on 
> draft-laganier-ipv6-khi-01.txt 
> 
> Hi Tom,
> 
> a question about this point...
> 
> El 05/06/2006, a las 7:35, Henderson, Thomas R escribió:
> >
> > It is not only local handles where this matters; in fact, 
> as you point
> > out, it may not matter much there at all.  However, think 
> about using
> > HITs instead of IPv6 addresses in ACLs;
> 
> I am not sure if i understand in which situations this can be 
> practical...
> 
> there are at least two things that i am not sure how to deal with in 
> this case:
> - First, HITs are not carried in every packet (as opposed to IP 
> addresses) so you could only have ACLs based on HITs on the endsystem 
> (meaning that you cannot have e.g. an ACL on a firewall that is 
> inspecting traffic to verify what is filtered, right?) or are you 
> considering the case where the firewall keeps track of the hip 
> exchange?

I am considering the case where the firewall/end system keeps track of the HIP exchange.  See, for example, the following draft:
http://www.ietf.org/internet-drafts/draft-tschofenig-hiprg-hip-natfw-traversal-04.txt

> - Second, i guess that in order to be usefull it should be 
> possible to 
> aggregate the HITs so that you could define blocks in the 
> ACL. I mean a 
> plain namespace like HITs seem kind of unpractical since you 
> would need 
> to detail each and every host in the ACL. I guess that for this, the 
> type 2 HITs would be really needed...
> 

There is a section in the IRTF NSRG report that describes this issue:

   "Additionally, HIP raises an issue regarding other uses for
   aggregation of IP addresses.  Today, they are not only aggregated for
   purposes of reduced routing, but also for reduced administration.  A
   typical access list used on the Internet will have some sort of a
   mask, indicating that a group of hosts from the same subnet may
   access some resource.  Because the value of a HIT is a hash in part,
   only the administratively assigned value can be aggregated,
   introducing an allocation limitation and authorization concerns."

But in practice today, there is a similar lack of aggregation in ssh key-based access controls.  I think it depends on what you are trying to accomplish with the ACL.  If you really want to write ACL policies based on address prefixes, then continue to do so, but if you want to do it based on host identifiers, then I agree that either they would need to be enumerated or there would need to be some structure added for aggregation (as well as some means to authenticate that the host is authorized to use those structured id bits).  

If a distinct prefix is allocated for ORCHIDs, then it makes it straightforward for a system to determine by inspection whether the entry is an address or a HIT, and finer granularity controls are then possible at the network layer.

Tom

_______________________________________________
Int-area mailing list
Int-area@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/int-area

v2.23.0 | Report a Bug | By Email