Re: [RRG] Tunnel fragmentation/reassembly for RRG map-and-encaps architectures

[David Conrad <drc@virtualized.org>]

Noel,

On Jan 16, 2008, at 11:06 AM, Noel Chiappa wrote:
> > Ah, you are using global trust anchors.  That will work, yes.
> > One question, though: Who will be the entity in charge of operating a
> > root CDR (and hence of signing ID/locator mappings)? This entity will
> > be in a very powerful position
>
> Well, to start with, there is no single entity which signs bindings  
> for the
> entire namespace - as I mentioned, we would probably want to split the
> namespace up into zones (e.g. maybe /8's), and have a separate key  
> (and
> signing entity) for each zone, in part so that no single break-in can
> compromise (and require re-signing of) bindings across the entire  
> nameapace.

Isn't the implication of this a need to rollover multiple keys for the  
multiple namespace authorities, that is, instead of having 1 trust  
anchor that you periodically rollover, you have 256?  (I'm assuming  
you would need to rollover keys as a normal part of security hygiene).

> We can change that, but it's really a question of how much  
> configuration
> overhead one wishes to incur, versus the amount of flexibility in  
> terms of
> distributing that 'power'.

And how much 'touching' of the trust hierarchy you want to impose on  
the lookup agents.

> > more powerful than any entity can be in today's Internet. There is  
> > no u
> > single entity today that has control over IP connectivity in a large
> > part of the Internet.
>
> Well, what about the DNS root? Yes, there are multiple roots, but  
> they contain
> the same data. Ooops, I see, you make that exact point:
>
> > OTOH, we do have a similar dependency on root DNS(SEC) servers.  
> > That's
> > for domain-name/address mappings, though, not for base IP  
> > connectivity.
>
> True.

Being somewhat in the crosshairs of the root signing situation with  
DNSSEC, I should probably point out that the political ramifications  
of a single root are decidedly non-trivial (and that's just for  
something that has limited impact on whether packets get from A to  
B).  But then again, having multiple roots means the lookup agents  
have multiple chances of getting things wrong.

> So, let me know what you think about the 'multiple independent signing
> authorities' concept as a way to deal with the sole (per zone)  
> global trust
> anchor issue you raised; if that doesn't work, I'll see if I can  
> come up with
> something better.

What are your thoughts on multiple independent signing authorities,  
with each authority signing the bindings for the entire namespace?  If  
you have (say) 2 independent trust anchors for the entire namespace  
then you could cross validate (if necessary... sort of like getting a  
second opinion if validation fails) while only having 2 things to  
break when you configure your lookup agent...

Regards,
-drc


--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg