[Hipsec-rg] Native HIP API questions in the hipsec-rg meeting

mkomu@niksula.hut.fi (Miika Komu) Mon, 16 August 2004 07:46 UTC

From: mkomu@niksula.hut.fi (Miika Komu)
Date: Mon Aug 16 07:46:01 2004
Subject: [Hipsec-rg] Native HIP API questions in the hipsec-rg meeting
In-Reply-To: <6938661A6EDA8A4EA8D1419BCE46F24C045223EE@xch-nw-27.nw.nos.boeing.com>
References: <6938661A6EDA8A4EA8D1419BCE46F24C045223EE@xch-nw-27.nw.nos.boeing.com>
Message-ID: <Pine.GSO.4.58.0408161501130.1778@kekkonen.cs.hut.fi>

Some question were raised in the hipsec-rg meeting in San Diego and I'd
like comment them briefly:

> 2.  HIP Native API (Julien Laganier)
>
> Lars Eggert:  Why are you binding to a src interface rather than
> address?
>
> Julien:  Ask Miika for motivation.
>
> Joe Touch:  Binding to interfaces doesn't make sense.  Interfaces have
> multiple IP addresses.  A single host identity must be able to bind to a
> particular IP address, for policy reasons.

Actually, the binding is done on the source endpoint descriptor. The
resolver communicates the descriptor to the HIP module and associates it
with a (given) interface.

The main motivation for preferring IP addresses instead of interfaces is
related to the probable life time of the identifiers. IP addresses are
more unstable than interfaces, so interfaces were preferred. It is still
possible to use a specific IP address by specifying the protocol family
(and prefix) of the IP address to the resolver.

(Btw, usually client apps do not bind explicitly and server applications
bind to INADDR_ANY or IN6ADDR_ANY, so this question may not be so
important.)

Other opinions? Does anyone think that using interfaces instead of
IP-addresses is a better approach? Or a no-go?

Another question to all: do you prefer "endpoint descriptors" instead
of HITs as the AID and why?

> Andrew McGregor:  Agree about not binding to an interface.  You may want
> to bind to a HIT and use a setsockopt() to associate a locator with it.

Resolver does the setsockopt() on the behalf of the user. The difference
is that the HI-to-IP mapping is "global" instead of socket specific. The
security issues are dealt by tagging the mapping with the UID and GID.

> Tim Shepard:  What if no DNS?  Nervous about building in dependencies on
> DNS.
>
> Julien:  use /etc/hosts.  Can fall back to opportunistic mode too.

The other alternative for DNS is the DHT, but it remains to be seen if we
ever get there. In the mean time, we should rely on DNS, as there are no
real alternatives currently available.

Maybe the resolver should should support DHT queries too. With a new
resolver, this should not be a problem. I'll have to look at this topic
when I get my hands on a DHT DNS replacement implementation...

-- 
Miika Komu              miika@iki.fi          http://www.iki.fi/miika/

[Hipsec-rg] Re: Native HIP API questions in the h… Pekka Nikander
[Hipsec-rg] Re: Native HIP API questions in the h… Joe Touch
[Hipsec-rg] Re: Native HIP API questions in the h… Andrew McGregor
[Hipsec-rg] Re: Native HIP API questions in the h… Joe Touch
[Hipsec-rg] Re: Native HIP API questions in the h… Joe Touch
[Hipsec-rg] Re: Native HIP API questions in the h… Joe Touch
[Hipsec-rg] Re: Native HIP API questions in the h… Miika Komu
[Hipsec-rg] Re: Native HIP API questions in the h… Tim Shepard
[Hipsec-rg] Re: Native HIP API questions in the h… Lars Eggert
[Hipsec-rg] Re: Native HIP API questions in the h… Tim Shepard
[Hipsec-rg] Native HIP API questions in the hipse… Miika Komu
[Hipsec-rg] meeting minutes from HIP-RG meeting Henderson, Thomas R