[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: how much privacy do we need? (was Re: Advantages and disadvantages of using CB64 type of identifiers

To: marcelo bagnulo braun <marcelo@it.uc3m.es>
Subject: Re: how much privacy do we need? (was Re: Advantages and disadvantages of using CB64 type of identifiers
From: Erik Nordmark <Erik.Nordmark@sun.com>
Date: Thu, 29 Jul 2004 23:47:22 -0700 (PDT)
Cc: Erik Nordmark <Erik.Nordmark@sun.com>, Multi6 List <multi6@ops.ietf.org>, Iljitsch van Beijnum <iljitsch@muada.com>
In-reply-to: "Your message with ID" <AE88AB91-D343-11D8-A131-000D93ACD0FE@it.uc3m.es>
Reply-to: Erik Nordmark <Erik.Nordmark@sun.com>

[Catching up after vacation]

> > But it is also hard for the wedge leayer to know the beginning and end
> > of a session, which is also needed. For instance, an application 
> > session
> > might silently assume that multiple TCP connections (to the same peer, 
> > or
> > even to different peers) use the same IP address today to represent 
> > the host.
> > As a result, if such an application isn't modified for multihoming 
> > somehow,
> > it would assume that the same AID (application-visible identifier) is
> > representing the host for that set of connections.
> >
> 
> Question: wouldn't this application also break when RFC3041 addresses 
> are used? in particular when a new temporary address is used

There are two related aspects for "identity comparison" and "callbacks".
For identity comparison i.e. when the responder wants to verify whether
multiple communications are from the same initiator, then RFC 3041 will
make this fail when the preferred lifetime expires for the old address
(1 day by default).
For callbacks, the use of RFC 3041 addresses will cause failure when the valid
lifetime expires for the original address (7 days by default).

But these time constants are quite different than e.g. using ephemeral IDs
where each transport connection might use a different ID.

> > For such a host to have multiple pseudonyms, this implies having 
> > multiple
> > FQDNs. (Such as host-2002-8192-56bb-9258-0-0-8192-5882.example.com i.e.
> > the FQDN doesn't have to provide any mnemonic meaning to a user.)
> 
> ok, but in order to support RFC3041 addresses the host would need to 
> dynamically update the DNS (creating a new record for its new temporary 
> addresses), right? this would imply that multihomed hosts will need to 
> support Dyn DNs or something similar right?

If you're using NOID-style DNS-based verification and want to take
advantage of multihoming of the host's site, and at the same time use 
RFC 3041 address, then
yes - the host needs to be able to update its forward DNS zone and create
the reverse DNS entries somehow.

  Erik

References:
- Re: how much privacy do we need? (was Re: Advantages and disadvantages of using CB64 type of identifiers
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>

Prev by Date: Re: API, was: Question re HIP dependency & some architectural considerations
Next by Date: Re: I-D ACTION:draft-nordmark-multi6-noid-02.txt
Previous by thread: Re: how much privacy do we need? (was Re: Advantages and disadvantages of using CB64 type of identifiers
Next by thread: RE: Advantages and disadvantages of using CB64 type of identifiers
Index(es):
- Date
- Thread