[Hipsec-rg] Re: Native HIP API questions in the hipsec-rg meeting

[lars.eggert@netlab.nec.de (Lars Eggert)]

This is a cryptographically signed message in MIME format.

--------------ms010206080801030809060509
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Miika,

Miika Komu wrote:
>>
>>Lars Eggert:  Why are you binding to a src interface rather than
>>address?
>>
>>Joe Touch:  Binding to interfaces doesn't make sense.  Interfaces have
>>multiple IP addresses.  A single host identity must be able to bind to a
>>particular IP address, for policy reasons.
> 
> Actually, the binding is done on the source endpoint descriptor. The
> resolver communicates the descriptor to the HIP module and associates it
> with a (given) interface.
> 
> The main motivation for preferring IP addresses instead of interfaces is
> related to the probable life time of the identifiers. IP addresses are
> more unstable than interfaces, so interfaces were preferred. It is still
> possible to use a specific IP address by specifying the protocol family
> (and prefix) of the IP address to the resolver.
> 
> (Btw, usually client apps do not bind explicitly and server applications
> bind to INADDR_ANY or IN6ADDR_ANY, so this question may not be so
> important.)
> 
> Other opinions? Does anyone think that using interfaces instead of
> IP-addresses is a better approach? Or a no-go?

now I'm confused. The slides in San Diego showed a binding from HITs to 
interfaces. Yet this email talks about binding HITs to IP addresses. 
Which is it? Were the slides in San Diego wrong?

The issue we raised in San Diego was that *nothing* in the current 
sockets API ever binds to interfaces. Everything binds to IP addresses. 
Even INADDR_ANY just means "any IP address."

A HIP API would do well to follow this approach. The reason is that an 
outgoing interface is determined for each packet independently based on 
a routing lookup at transmission time. Which means that when the routing 
table changes, implementations don't have to go through all bindings to 
change their interfaces.

Additionally, as Joe pointed out, interfaces can have aliases, and 
furthermore, those aliases may move from one interface to another during 
the lifetime of a connection. Binding to IP addresses instead of 
interfaces avoids all this update mess.

> Another question to all: do you prefer "endpoint descriptors" instead
> of HITs as the AID and why?

Are there other kinds of endpoint descriptors than HITs? If yes, use the 
generic term. If no, just use "HITs" to be clear. (My two cents.)

>>Andrew McGregor:  Agree about not binding to an interface.  You may want
>>to bind to a HIT and use a setsockopt() to associate a locator with it.
> 
> Resolver does the setsockopt() on the behalf of the user. The difference
> is that the HI-to-IP mapping is "global" instead of socket specific. The
> security issues are dealt by tagging the mapping with the UID and GID.

I don't recall Andrew's exact question, and the above doesn't mean 
anything to me. Could you please elaborate?

>>Tim Shepard:  What if no DNS?  Nervous about building in dependencies on
>>DNS.
>>
>>Julien:  use /etc/hosts.  Can fall back to opportunistic mode too.
> 
> The other alternative for DNS is the DHT, but it remains to be seen if we
> ever get there. In the mean time, we should rely on DNS, as there are no
> real alternatives currently available.
> 
> Maybe the resolver should should support DHT queries too. With a new
> resolver, this should not be a problem. I'll have to look at this topic
> when I get my hands on a DHT DNS replacement implementation...

See Tim's email. I agree with him that finding a way to use HIP without 
a deployed DNS would be very useful. How do you bootstrap communication 
if someone hands you just a HIT?

Lars
-- 
Lars Eggert                                     NEC Network Laboratories

--------------ms010206080801030809060509
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJpzCC
Ay4wggKXoAMCAQICAwyFWjANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UE
ChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNv
bmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDQwNjE3MDcyMjAzWhcNMDUwNjE3MDcyMjAz
WjCBhDEPMA0GA1UEBBMGRWdnZXJ0MQ0wCwYDVQQqEwRMYXJzMRQwEgYDVQQDEwtMYXJzIEVn
Z2VydDEoMCYGCSqGSIb3DQEJARYZbGFycy5lZ2dlcnRAbmV0bGFiLm5lYy5kZTEiMCAGCSqG
SIb3DQEJARYTbGFycy5lZ2dlcnRAZ214Lm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAOowMZjwQREXIdWxQacJDyqczykKpfIVmid2m8xBuUO53uWgnK3F8R20u/7PVugU
zjNNqaivnU6qHtr/jdAn1UnyXzA/4Re+AqsKNiw8hZkVonkJ+G4O0TFzMNeWUdrjX1FaSAsL
uAPA6661cN4YDzrOYC3O3zgGtVvJAra0+iw9eD2qWsnH0AVLFtq7H5ZFhz5zeOeCrrayqEhf
S6tnTSjBzaH8SOdeemPTxdLRbMptLSy7lEFo8f1xisltw2eRT0txoUCqq0mjFEp8LgJ+s6p1
4M4cG3CDkKd5kNjdTWaokAo4qmpfF9IyA7uheaAHAz8UOH5GsH+Vkjbz5yFO1SsCAwEAAaNL
MEkwOQYDVR0RBDIwMIEZbGFycy5lZ2dlcnRAbmV0bGFiLm5lYy5kZYETbGFycy5lZ2dlcnRA
Z214Lm5ldDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBAE9rOnUtJERYLNbDztLI
sH4AolAWkvNKoj7Ikst1M1X3myXqxYAHa9bsoPJy15qEV2B4ftOmJLrZL9kb8RZnzGBii8a/
XQ5wqaHZAJYcxQ6lp6UDTabhQN7J1trAOKgs+PFlF3lm6NOkXygiQH5PPO5kIHRjNvXpNGYe
C7S3K8YsMIIDLjCCApegAwIBAgIDDIVaMA0GCSqGSIb3DQEBBAUAMGIxCzAJBgNVBAYTAlpB
MSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3
dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTAeFw0wNDA2MTcwNzIyMDNaFw0wNTA2
MTcwNzIyMDNaMIGEMQ8wDQYDVQQEEwZFZ2dlcnQxDTALBgNVBCoTBExhcnMxFDASBgNVBAMT
C0xhcnMgRWdnZXJ0MSgwJgYJKoZIhvcNAQkBFhlsYXJzLmVnZ2VydEBuZXRsYWIubmVjLmRl
MSIwIAYJKoZIhvcNAQkBFhNsYXJzLmVnZ2VydEBnbXgubmV0MIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEA6jAxmPBBERch1bFBpwkPKpzPKQql8hWaJ3abzEG5Q7ne5aCcrcXx
HbS7/s9W6BTOM02pqK+dTqoe2v+N0CfVSfJfMD/hF74Cqwo2LDyFmRWieQn4bg7RMXMw15ZR
2uNfUVpICwu4A8DrrrVw3hgPOs5gLc7fOAa1W8kCtrT6LD14PapaycfQBUsW2rsflkWHPnN4
54KutrKoSF9Lq2dNKMHNofxI5156Y9PF0tFsym0tLLuUQWjx/XGKyW3DZ5FPS3GhQKqrSaMU
SnwuAn6zqnXgzhwbcIOQp3mQ2N1NZqiQCjiqal8X0jIDu6F5oAcDPxQ4fkawf5WSNvPnIU7V
KwIDAQABo0swSTA5BgNVHREEMjAwgRlsYXJzLmVnZ2VydEBuZXRsYWIubmVjLmRlgRNsYXJz
LmVnZ2VydEBnbXgubmV0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAT2s6dS0k
RFgs1sPO0siwfgCiUBaS80qiPsiSy3UzVfebJerFgAdr1uyg8nLXmoRXYHh+06Ykutkv2Rvx
FmfMYGKLxr9dDnCpodkAlhzFDqWnpQNNpuFA3snW2sA4qCz48WUXeWbo06RfKCJAfk887mQg
dGM29ek0Zh4LtLcrxiwwggM/MIICqKADAgECAgENMA0GCSqGSIb3DQEBBQUAMIHRMQswCQYD
VQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAY
BgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZp
Y2VzIERpdmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzAp
BgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDMwNzE3MDAw
MDAwWhcNMTMwNzE2MjM1OTU5WjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENv
bnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWls
IElzc3VpbmcgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMSmPFVzVftOucqZWh5o
wHUEcJ3f6f+jHuy9zfVb8hp2vX8MOmHyv1HOAdTlUAow1wJjWiyJFXCO3cnwK4Vaqj9xVsuv
PAsH5/EfkTYkKhPPK9Xzgnc9A74r/rsYPge/QIACZNenprufZdHFKlSFD0gEf6e20TxhBEAe
ZBlyYLf7AgMBAAGjgZQwgZEwEgYDVR0TAQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6MDigNqA0
hjJodHRwOi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlUGVyc29uYWxGcmVlbWFpbENBLmNybDAL
BgNVHQ8EBAMCAQYwKQYDVR0RBCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDItMTM4
MA0GCSqGSIb3DQEBBQUAA4GBAEiM0VCD6gsuzA2jZqxnD3+vrL7CF6FDlpSdf0whuPg2H6ot
nzYvwPQcUCCTcDz9reFhYsPZOhl+hLGZGwDFGguCdJ4lUJRix9sncVcljd2pnDmOjCBPZV+V
2vf3h9bGCE6u9uo05RAaWzVNd+NWIXiC3CEZNd4ksdMdRv9dX2VPMYIDOzCCAzcCAQEwaTBi
MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEs
MCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECAwyFWjAJBgUr
DgMCGgUAoIIBpzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0w
NDA4MTYyMDM2MzVaMCMGCSqGSIb3DQEJBDEWBBQFAPwYB7HkHLV7UJwYk4LYU5O9azBSBgkq
hkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIB
QDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDB4BgkrBgEEAYI3EAQxazBpMGIxCzAJBgNVBAYT
AlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNU
aGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIDDIVaMHoGCyqGSIb3DQEJEAIL
MWugaTBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg
THRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECAwyF
WjANBgkqhkiG9w0BAQEFAASCAQAV2sc2vjfDiI38wXebRpt/hjh4YgCXGDD19YZViFAVZijM
+1Z0468Y06ugQmcAhpm7bbQIcyLWJV51sywUAY19s7c3Li5VrS2P059yzUEyaypAy+Fbsdt3
WGvTFiPpXQYpdVWkmyIG02wWdrFc1/gzFvJYHvFAA43QkP5WY8KL2Ep/ak6S2c1uIfdjgEyw
UxBSuRHbnZlYSy8PiTAjIWnfz7ut9z8rsB9qhGhGUwV6IyHd2HW6jKuNLBobY9u2UqDNEd7f
JoVhhiwgctmnr6B2ra3z/CPLWk+ocLIojyQByzMjn5wl7KWlo2IoAs8f2Eh+HLRwJOfeCMPC
+YOQ/DmsAAAAAAAA
--------------ms010206080801030809060509--