Re: [P2PSIP] Re: HIP pros and cons

["Bruce Lowekamp" <lowekamp@sipeerior.com>]

On Dec 13, 2007 2:29 AM, Miika Komu <miika@iki.fi> wrote:
> On Wed, 12 Dec 2007, Eric Rescorla wrote:
> >
> > Yes, you need to throttle queries somewhat at the enrollment server.
> > But this is a much easier problem than throttling key generations
> > which don't require a server query.
>
> I have two questions regarding to this:
> * Is it possible to have a distributed enrollment server (i.e. the DHT) or
>    is this an open research problem?

For the purposes of the p2psip wg, it was ruled out of scope as an
open research problem.

> * Why can't we just use a centralized enrollment server to distribute
>    mandatory certificates for Host Identities? The enrollment server could
>    still throttle based on the IP address of the client, which I assume you
>    we suggesting?

As long as the enrollment server is able to restrict someone from
picking arbitrary IDs and either throttles requests or restricts
requests in some other way, that probably meets the security
requirement.  Not very secure if it's just based on the IP address of
the client, though, as it's easy to get a lot of those.

> I find it a little bit controversial that the P2P-SIP is supposed to
> distributed (DHT) and non-distributed (enrollment servers) at the same
> time. Who owns the centralized enrollment server and how do you prevent
> it to become a single point of failure for P2P-SIP?
>

Depends on the deployment scenario.  For a partial list, take a look
at http://tools.ietf.org/wg/p2psip/draft-bryan-p2psip-app-scenarios-00.txt

Bruce

_______________________________________________
P2PSIP mailing list
P2PSIP@ietf.org
https://www1.ietf.org/mailman/listinfo/p2psip