[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RRG] Tunnel fragmentation/reassembly for RRG map-and-encaps architectures



    > From: Christian Vogt <christian.vogt@nomadiclab.com>

    > Ah, you are using global trust anchors.  That will work, yes.
    > One question, though: Who will be the entity in charge of operating a
    > root CDR (and hence of signing ID/locator mappings)? This entity will
    > be in a very powerful position

Well, to start with, there is no single entity which signs bindings for the
entire namespace - as I mentioned, we would probably want to split the
namespace up into zones (e.g. maybe /8's), and have a separate key (and
signing entity) for each zone, in part so that no single break-in can
compromise (and require re-signing of) bindings across the entire nameapace.

Your question raises a separate issue, though, which is that in that scheme
as I describd it, each portion of the namespace would indeed have one entity
which is in charge of signing bindings for it, and yes, that would be a
powerful position.

We can change that, but it's really a question of how much configuration
overhead one wishes to incur, versus the amount of flexibility in terms of
distributing that 'power'. E.g. we could have multiple *wholly independent*
signers for each zone of the namespace (each would have a separate private
'primary' key), and so a signed binding would be marked with the identity of
the verifier which has signed each.

Etc, etc, etc. It's all depends on how much flexibility the users want; more
can be built in, but it has a cost.

    > more powerful than any entity can be in today's Internet. There is no u
    > single entity today that has control over IP connectivity in a large
    > part of the Internet.

Well, what about the DNS root? Yes, there are multiple roots, but they contain
the same data. Ooops, I see, you make that exact point:

    > OTOH, we do have a similar dependency on root DNS(SEC) servers. That's
    > for domain-name/address mappings, though, not for base IP connectivity.

True.


    > Thanks for discussing this in detail!

Thanks, but no thanks are really needed - I am very interested to hear any
comments people have to make, because I am concerned that there are things I
have missed, or that there are operational aspects which I haven't taken
sufficiently into consideration, stuff like that. I'm always ready to hear
anything that might improve the design!

So, let me know what you think about the 'multiple independent signing
authorities' concept as a way to deal with the sole (per zone) global trust
anchor issue you raised; if that doesn't work, I'll see if I can come up with
something better.

	Noel

--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg