IETF Logo Mail Archive

Re: HIT and ACLs (was Re: [Int-area] Progress on draft-laganier-ipv6-khi-01.txt

Tim Shepard <shep@alum.mit.edu> Mon, 05 June 2006 18:04 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FnJR8-0000nc-MW; Mon, 05 Jun 2006 14:04:22 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FnJR7-0000nX-8r for int-area@ietf.org; Mon, 05 Jun 2006 14:04:21 -0400
Received: from [2002:425c:4292::1] (helo=alva.home) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FnJR7-0004kg-0K for int-area@ietf.org; Mon, 05 Jun 2006 14:04:21 -0400
Received: from shep (helo=alva.home) by alva.home with local-esmtp (Exim 3.36 #1 (Debian)) id 1FnJQz-0007Xb-00; Mon, 05 Jun 2006 14:04:13 -0400
From: Tim Shepard <shep@alum.mit.edu>
To: "Henderson, Thomas R" <thomas.r.henderson@boeing.com>
Subject: Re: HIT and ACLs (was Re: [Int-area] Progress on draft-laganier-ipv6-khi-01.txt
In-reply-to: Your message of Mon, 05 Jun 2006 10:54:29 -0700. <77F357662F8BFA4CA7074B0410171B6D01A2F2E5@XCH-NW-5V1.nw.nos.boeing.com>
Date: Mon, 05 Jun 2006 14:04:12 -0400
Message-Id: <E1FnJQz-0007Xb-00@alva.home>
X-Spam-Score: -2.8 (--)
X-Scan-Signature: b19722fc8d3865b147c75ae2495625f2
Cc: Internet Area <int-area@ietf.org>
X-BeenThere: int-area@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/int-area>
List-Post: <mailto:int-area@lists.ietf.org>
List-Help: <mailto:int-area-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@lists.ietf.org?subject=subscribe>
Errors-To: int-area-bounces@lists.ietf.org


> There is a section in the IRTF NSRG report that describes this issue:
> 
>    "Additionally, HIP raises an issue regarding other uses for
>    aggregation of IP addresses.  Today, they are not only aggregated for
>    purposes of reduced routing, but also for reduced administration.  A
>    typical access list used on the Internet will have some sort of a
>    mask, indicating that a group of hosts from the same subnet may
>    access some resource.  Because the value of a HIT is a hash in part,
>    only the administratively assigned value can be aggregated,
>    introducing an allocation limitation and authorization concerns."
> 
> But in practice today, there is a similar lack of aggregation in ssh
> key-based access controls.  I think it depends on what you are
> trying to accomplish with the ACL.  If you really want to write ACL
> policies based on address prefixes, then continue to do so, but if
> you want to do it based on host identifiers, then I agree that
> either they would need to be enumerated or there would need to be
> some structure added for aggregation (as well as some means to
> authenticate that the host is authorized to use those structured id
> bits).

But a bare HIT which happens to have some prefix does not imply that
it was created with the permission of the authority that controls the
reverse mapping for that prefix.  Seems like you need to do an on-line
lookup or have a full blown certificate anyway.  In that case, there's
no value (that I can see) in having a prefix.

(Should this be on the hip-rg mailing list instead of int-area?)

			-Tim Shepard
			 shep@alum.mit.edu

_______________________________________________
Int-area mailing list
Int-area@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/int-area

v2.23.0 | Report a Bug | By Email