[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RRG] On "jack-down" models

To: Scott Brim <swb@employees.org>
Subject: Re: [RRG] On "jack-down" models
From: Pekka Nikander <pekka.nikander@nomadiclab.com>
Date: Mon, 17 Mar 2008 06:28:32 +0200
Cc: tony.li@tony.li, "'Routing Research Group'" <rrg@psg.com>
In-reply-to: <47DDC084.8050708@employees.org>
References: <007101c88746$512d1a70$6e00a8c0@ad.redback.com> <47DDC084.8050708@employees.org>

Scott,

I mostly agree with you (with some caveats of whether I understandyou correctly). Where I perhaps disagree is in the need for network-layer end-to-end non-routing identifiers. They are quite useful.See below.

[Jack down] has obvious security implications which will, ineffect, require a security association between hosts. Thatsecurity association effectively requires some security token(e.g., a public-private key pair used to compute a session key) sothat the correspondent host can be assured that the componentconnections are indeed related. This security token is, for allintents and purposes, a host identifier.
I question the very last step. The various multiplexed transportlayer connections are unified by something at or above theirlevel. Therefore an identification/authentication mechanism tounify them could be, perhaps should be, at a higher layer. Itcould be a transport-layer identity for the entire host, butcertainly doesn't need to be. In fact I don't see a *requirement*for a network-layer or even transport-layer identity to be used inend-to-end authentication (routing yes).

While I can easily see architectures where such network-layer ortransport-layer identities do not exist, especially the network-layerones are quite useful.

Specifically, network-layer host-to-host identifiers make a) host-based mobility and b) host-based multi-homing (aka multi-access)easier especially in the multi-operator (roaming) situations.However, for such use the network-layer identifiers can be bothanonymous (not bound to a real-world identity) and ephemeral. Theyneed to be cryptographically relatively strong, though, i.e. at leastcomposed of several tokens or, preferably, based on hash chains orshared secrets.

"Jack-up" removed location from the IP address by introducinganother relationship (edge-to-edge, ITR-ETR) below it. "Jack-down"would remove identity by introducing another relationship (e2e,authentication function) above it. The terminology seemsreasonable and I can see why you would like the symmetry, but I'mnot sure it's useful. :-)

And the offered functionality may not differ that much, in the end.In the jack-up case the "split" is in the network, but but a host canbe considered a part of the network. In the "jack-down" case thesplit is in the host, but the host can be "extended" to a local ETR/ITR by "adding" a local IP-connection "within" the (conceptual)host. That is all in

http://datatracker.ietf.org/drafts/draft-nikander-ram-generix-proxying/

First, there are intermediate schemes, for example those that donot remove all "address" functionality from EIDs but still use themfor locally scoped routing.


I think (but haven't checked) the generix draft covers some such cases.

Second, as I said above, I am quite unsure that the old way ofthinking of general purpose end system IDs is actually useful. Wecan have network-layer identities, or transport-layer ones, butwhat will we use them for?

They are very useful for host mobility and multi-access.Architecturally, their economic value derives from them allowing ahost a better capability of choice between operators in a multi-access situation.

The IP layer itself doesn't care what addresses are on the packetsit receives. It's only higher layers that care. I'm on the vergeof invoking the end-to-end argument, because it seems that as timegoes on our needs for sophistication in higher layer identificationand authentication increase, and that the transport layer shouldn'tprovide identity and authentication for its client layers, becausein the future it won't be able to do an adequate, specific-enoughjob of it.
So we could have the very nice symmetric distinguisher of jack-up/jack-down, but it implies that the use of network-layer (maybetransport-layer) identifiers is architectually fundamental. I getthe feeling that our thinking is evolving away from that.

I agree. I do think that in the long run we are moving away from end-to-end, towards some kind of trust-to-trust architectures [DaveClark]. But I'm afraid that such practises are at least 10 years inthe future. And even there ephemeral, crypto-strong node-to-nodeidentifiers may be very useful. However, I do think that a HIP-likeintermediate step towards such architectures is probably veryuseful. It will take quite a long before the upper layers will be upto the task of really managing trust-to-trust.


--Pekka Nikander


--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg

Follow-Ups:
- Re: [RRG] On "jack-down" models
  - From: Scott Brim <swb@employees.org>
- [RRG] Some concern about the flat label as identifier
  - From: Xu Xiaohu <xuxh@huawei.com>

References:
- [RRG] On "jack-down" models
  - From: "Tony Li" <tony.li@tony.li>
- Re: [RRG] On "jack-down" models
  - From: Scott Brim <swb@employees.org>

Prev by Date: [RRG] Hosts, DFZ, purity & incremental deployment
Next by Date: RE: [RRG] LISP next steps
Previous by thread: Re: [RRG] On "jack-down" models
Next by thread: [RRG] Some concern about the flat label as identifier
Index(es):
- Date
- Thread