Re: GSE IDs [Re: IETF multihoming powder: just add IPv6 and stir]

[Pekka Nikander <pekka.nikander@nomadiclab.com>]

David Conrad wrote:
> On Monday, May 5, 2003, at 11:03  PM, Pekka Nikander wrote:
>
> > Secure DNS has been shown not to be scalable in practise. 
> Oh?  References?
Well, apparently I should have been more careful with my
wording.  No, it has not been scientifically (by analysis)
shown not to be scalable.

I was merely referring to the current state of deployment
and to my admittedly very limited practical experience,
mostly within the scope of Mobile IPv6 security design team.
Maybe I am wrong, and in any case my statement above was
far too strong.  Sorry about that.

Now, what I was referring to was merely our strawman analysis
of what happens if you use secure reverse DNS to verify if
someone is authorized to use a particular address.  I didn't
find the text any more (maybe it is available in the DT
archives, but I don't know where they are).   Anyway, the
result was that you typially end up doing maybe 7-8 DNS
queries and verifying 10-12 public key certificates, or
something like that.  Not really scalable if you would need
to do that for each address that you get.

Thinking about the issue a little bit more, it is not at
all clear whether we need secure reverse DNS in this case
at all.  If we want to securely resolve host identifiers
(second 16s or whatever) into locators, maybe we need.
In that case the analysis applies, and should probably be
made again, perphaps with more rigor this time.

--Pekka Nikander