Re: [nbs] NBS and TCP connection identification

Le 21 sept. 2010 à 00:01, Erik Nordmark a écrit :

> 
> I'm quite intriqued by name-based sockets, but I don't understand how things are supposed to work.
> I've read draft-ubillos-name-based-sockets-03.txt and draft-xu-name-shim6-00.txt, but some aspects appear to be missing.
> 
> Does with NBS what identifies a TCP connection? Today it is identified by a pair of IP addresses and port numbers, but that wouldn't work with NBS since we want the TCP connection to survive renumbering the IP addresses. Is the intent that the connection be identified by a pair of names?

In my understanding, this is what is consistent and clean.
For this, a TCP option seems appropriate, to convey to the server the source the destination names used by the client (when they exist).
Thus, servers may query to the direct DNS (rather than the reverse DNS) to validate the names of connection initiators. 
In the absence of such names, applications that need to identify where connections come from can refuse them.

RD 

> By fixed-length hashes of the names?
> 
> What are the security issues introduced by the additional name mapping? (Part of that answer depends on how TCP connections are identified.) It might be useful to review RFC 4218 and see what threats apply to NBS.
> 
> In name-shim6-00.txt there is a suggestion to communicate the names in NBS, and then in addition communicate the names (or MD5-hashes of the names) in shim6. That seems to be overkill.
> 
> 
> Instead of a nonce as a name I think it makes more sense to use a crypto-based identifier (see
> http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.139.4051&rep=rep1&type=pdf). Such a name/ID means that even a host which does not have a FQDN can benefit from multihoming and mobility using NBS without introducing any security issues.
> 
>   Erik
> 
> 
> _______________________________________________
> nbs mailing list
> nbs@ietf.org
> https://www.ietf.org/mailman/listinfo/nbs