[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [RRG] On "jack-down" models
Scott,
I mostly agree with you (with some caveats of whether I understand
you correctly). Where I perhaps disagree is in the need for network-
layer end-to-end non-routing identifiers. They are quite useful.
See below.
[Jack down] has obvious security implications which will, in
effect, require a security association between hosts. That
security association effectively requires some security token
(e.g., a public-private key pair used to compute a session key) so
that the correspondent host can be assured that the component
connections are indeed related. This security token is, for all
intents and purposes, a host identifier.
I question the very last step. The various multiplexed transport
layer connections are unified by something at or above their
level. Therefore an identification/authentication mechanism to
unify them could be, perhaps should be, at a higher layer. It
could be a transport-layer identity for the entire host, but
certainly doesn't need to be. In fact I don't see a *requirement*
for a network-layer or even transport-layer identity to be used in
end-to-end authentication (routing yes).
While I can easily see architectures where such network-layer or
transport-layer identities do not exist, especially the network-layer
ones are quite useful.
Specifically, network-layer host-to-host identifiers make a) host-
based mobility and b) host-based multi-homing (aka multi-access)
easier especially in the multi-operator (roaming) situations.
However, for such use the network-layer identifiers can be both
anonymous (not bound to a real-world identity) and ephemeral. They
need to be cryptographically relatively strong, though, i.e. at least
composed of several tokens or, preferably, based on hash chains or
shared secrets.
"Jack-up" removed location from the IP address by introducing
another relationship (edge-to-edge, ITR-ETR) below it. "Jack-down"
would remove identity by introducing another relationship (e2e,
authentication function) above it. The terminology seems
reasonable and I can see why you would like the symmetry, but I'm
not sure it's useful. :-)
And the offered functionality may not differ that much, in the end.
In the jack-up case the "split" is in the network, but but a host can
be considered a part of the network. In the "jack-down" case the
split is in the host, but the host can be "extended" to a local ETR/
ITR by "adding" a local IP-connection "within" the (conceptual)
host. That is all in
http://datatracker.ietf.org/drafts/draft-nikander-ram-generix-proxying/
First, there are intermediate schemes, for example those that do
not remove all "address" functionality from EIDs but still use them
for locally scoped routing.
I think (but haven't checked) the generix draft covers some such cases.
Second, as I said above, I am quite unsure that the old way of
thinking of general purpose end system IDs is actually useful. We
can have network-layer identities, or transport-layer ones, but
what will we use them for?
They are very useful for host mobility and multi-access.
Architecturally, their economic value derives from them allowing a
host a better capability of choice between operators in a multi-
access situation.
The IP layer itself doesn't care what addresses are on the packets
it receives. It's only higher layers that care. I'm on the verge
of invoking the end-to-end argument, because it seems that as time
goes on our needs for sophistication in higher layer identification
and authentication increase, and that the transport layer shouldn't
provide identity and authentication for its client layers, because
in the future it won't be able to do an adequate, specific-enough
job of it.
So we could have the very nice symmetric distinguisher of jack-up/
jack-down, but it implies that the use of network-layer (maybe
transport-layer) identifiers is architectually fundamental. I get
the feeling that our thinking is evolving away from that.
I agree. I do think that in the long run we are moving away from end-
to-end, towards some kind of trust-to-trust architectures [Dave
Clark]. But I'm afraid that such practises are at least 10 years in
the future. And even there ephemeral, crypto-strong node-to-node
identifiers may be very useful. However, I do think that a HIP-like
intermediate step towards such architectures is probably very
useful. It will take quite a long before the upper layers will be up
to the task of really managing trust-to-trust.
--Pekka Nikander
--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg