[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RRG] On "jack-down" models



Scott,

I mostly agree with you (with some caveats of whether I understand you correctly). Where I perhaps disagree is in the need for network- layer end-to-end non-routing identifiers. They are quite useful. See below.

[Jack down] has obvious security implications which will, in effect, require a security association between hosts. That security association effectively requires some security token (e.g., a public-private key pair used to compute a session key) so that the correspondent host can be assured that the component connections are indeed related. This security token is, for all intents and purposes, a host identifier.

I question the very last step. The various multiplexed transport layer connections are unified by something at or above their level. Therefore an identification/authentication mechanism to unify them could be, perhaps should be, at a higher layer. It could be a transport-layer identity for the entire host, but certainly doesn't need to be. In fact I don't see a *requirement* for a network-layer or even transport-layer identity to be used in end-to-end authentication (routing yes).

While I can easily see architectures where such network-layer or transport-layer identities do not exist, especially the network-layer ones are quite useful.

Specifically, network-layer host-to-host identifiers make a) host- based mobility and b) host-based multi-homing (aka multi-access) easier especially in the multi-operator (roaming) situations. However, for such use the network-layer identifiers can be both anonymous (not bound to a real-world identity) and ephemeral. They need to be cryptographically relatively strong, though, i.e. at least composed of several tokens or, preferably, based on hash chains or shared secrets.

"Jack-up" removed location from the IP address by introducing another relationship (edge-to-edge, ITR-ETR) below it. "Jack-down" would remove identity by introducing another relationship (e2e, authentication function) above it. The terminology seems reasonable and I can see why you would like the symmetry, but I'm not sure it's useful. :-)

And the offered functionality may not differ that much, in the end. In the jack-up case the "split" is in the network, but but a host can be considered a part of the network. In the "jack-down" case the split is in the host, but the host can be "extended" to a local ETR/ ITR by "adding" a local IP-connection "within" the (conceptual) host. That is all in
http://datatracker.ietf.org/drafts/draft-nikander-ram-generix-proxying/

First, there are intermediate schemes, for example those that do not remove all "address" functionality from EIDs but still use them for locally scoped routing.

I think (but haven't checked) the generix draft covers some such cases.

Second, as I said above, I am quite unsure that the old way of thinking of general purpose end system IDs is actually useful. We can have network-layer identities, or transport-layer ones, but what will we use them for?

They are very useful for host mobility and multi-access. Architecturally, their economic value derives from them allowing a host a better capability of choice between operators in a multi- access situation.

The IP layer itself doesn't care what addresses are on the packets it receives. It's only higher layers that care. I'm on the verge of invoking the end-to-end argument, because it seems that as time goes on our needs for sophistication in higher layer identification and authentication increase, and that the transport layer shouldn't provide identity and authentication for its client layers, because in the future it won't be able to do an adequate, specific-enough job of it.

So we could have the very nice symmetric distinguisher of jack-up/ jack-down, but it implies that the use of network-layer (maybe transport-layer) identifiers is architectually fundamental. I get the feeling that our thinking is evolving away from that.

I agree. I do think that in the long run we are moving away from end- to-end, towards some kind of trust-to-trust architectures [Dave Clark]. But I'm afraid that such practises are at least 10 years in the future. And even there ephemeral, crypto-strong node-to-node identifiers may be very useful. However, I do think that a HIP-like intermediate step towards such architectures is probably very useful. It will take quite a long before the upper layers will be up to the task of really managing trust-to-trust.

--Pekka Nikander


--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg