[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: HIP and PKI reqs [RE: Identifier/locator recap]



Iljitsch van Beijnum wrote:
This could work extremely well except for one tiny problem: what if some
nodes don't cooperate and don't follow the protocol?
You just take a different hash (or a different part
of an hash), and try again.  Or something like that,
it's been a few months since I read the DHT papers,
and I don't remember the details any more.

This is essentially the same old problem: looking up entries in huge
piles of data that lacks a hierarchical structure simply doesn't scale.
Yes it does, if the data is randomly distributed.

If it is hierarchical, you can use a tree structure.
If it is randomly distributed, you can use a hash structure.

The trick is how you distribute your hash structure.
We know how to distrubute a tree structures.  Distributed
hash tables is exactly the method for distributing hash
structures.  (Sorry that I can't be more specific or write
a tutorial, but the DHT stuff is too new for me, too.)

Maybe this is already in there (I can't remember the latest HIP
identifier structure, but it's no longer 127 bits of fingerprint, AFAIK)
but just in case: why don't you shrink the fingerprint part to 64 or 80
bits. Then you can use the high 48 or 64 bits in a DNS-compatible
manner.
It's there:

   There are two formats for HIT.  These two formats are designed to
   avoid the most commonly occurring IPv6 addresses in RFC2373 [3].
   Bits 0 and 1 are used to differentiate the formats.  If Bit 0 is zero
   and Bit 1 is one, then the rest of HIT is a 126 bits of a SHA-1 hash
   of the Host Identity. If Bit 0 is one and Bit 1 is zero, then the
   next 62 bits is the Host Assigning Authority (HAA) field, and only
   the last 64 bits come from a SHA-1 hash of the Host Identity.  This
   format for HIT is recommended for 'well known' systems.  It is
   possible to support a resolution mechanism for these names in
   directories like DNS. Another use of HAA is in policy controls.

I really think the FQDN is the
actual identifier here, not the HIP id.
There we have the difference.  Computers don't understand names.
Names are just bit strings to them.  Public keys make *re*cognition
possible to computers, just like faces make it to people.

--Pekka Nikander