[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RRG] On "jack-down" models

To: Pekka Nikander <pekka.nikander@nomadiclab.com>
Subject: Re: [RRG] On "jack-down" models
From: Scott Brim <swb@employees.org>
Date: Thu, 27 Mar 2008 11:01:08 -0400
Cc: tony.li@tony.li, "'Routing Research Group'" <rrg@psg.com>
In-reply-to: <E3B46518-B342-4C75-A0EF-F405A8A45233@nomadiclab.com>
References: <007101c88746$512d1a70$6e00a8c0@ad.redback.com> <47DDC084.8050708@employees.org> <E3B46518-B342-4C75-A0EF-F405A8A45233@nomadiclab.com>
User-agent: Thunderbird 2.0.0.12 (Macintosh/20080213)

On 3/17/08 12:28 AM, Pekka Nikander allegedly wrote:

Scott,
I mostly agree with you (with some caveats of whether I understand youcorrectly). Where I perhaps disagree is in the need for network-layerend-to-end non-routing identifiers. They are quite useful. See below.
[Jack down] has obvious security implications which will, in effect,require a security association between hosts. That securityassociation effectively requires some security token (e.g., apublic-private key pair used to compute a session key) so that thecorrespondent host can be assured that the component connections areindeed related. This security token is, for all intents andpurposes, a host identifier.
I question the very last step. The various multiplexed transportlayer connections are unified by something at or above their level.Therefore an identification/authentication mechanism to unify themcould be, perhaps should be, at a higher layer. It could be atransport-layer identity for the entire host, but certainly doesn'tneed to be. In fact I don't see a *requirement* for a network-layeror even transport-layer identity to be used in end-to-endauthentication (routing yes).
While I can easily see architectures where such network-layer ortransport-layer identities do not exist, especially the network-layerones are quite useful.
Specifically, network-layer host-to-host identifiers make a) host-basedmobility and b) host-based multi-homing (aka multi-access) easierespecially in the multi-operator (roaming) situations. However, forsuch use the network-layer identifiers can be both anonymous (not boundto a real-world identity) and ephemeral. They need to becryptographically relatively strong, though, i.e. at least composed ofseveral tokens or, preferably, based on hash chains or shared secrets.


Hi Pekka.  This feels circular.

Specifically how does a network-layer ID make host-based mobility and
multihoming easier?  I'm wondering about the real need.  Yes, you need
some kind of ID -- does the ID need to be a general one at the network

layer? It would seem that the naming need is in higher layers, not atthe network layer per se.


When a host works from multiple IP addresses (either serially or
simultaneously), which functions need to know that this is in fact the

same host? It's for service continuity. The IP layer doesn't care.Transport might care but won't know how to use the knowledgeeffectively. (E2E principle within a general-purpose stack.)


It used to be obvious to us that a network-layer node name was
important, but I get the feeling that times have changed and identifiers
are more important higher up the stack.

And the offered functionality may not differ that much, in the end. Inthe jack-up case the "split" is in the network, but but a host can beconsidered a part of the network. In the "jack-down" case the split isin the host, but the host can be "extended" to a local ETR/ITR by"adding" a local IP-connection "within" the (conceptual) host. That isall in
http://datatracker.ietf.org/drafts/draft-nikander-ram-generix-proxying/


Yes.  That was a useful draft.

The IP layer itself doesn't care what addresses are on the packets itreceives. It's only higher layers that care. I'm on the verge ofinvoking the end-to-end argument, because it seems that as time goeson our needs for sophistication in higher layer identification andauthentication increase, and that the transport layer shouldn'tprovide identity and authentication for its client layers, because inthe future it won't be able to do an adequate, specific-enough job of it.
So we could have the very nice symmetric distinguisher ofjack-up/jack-down, but it implies that the use of network-layer (maybetransport-layer) identifiers is architectually fundamental. I get thefeeling that our thinking is evolving away from that.
I agree. I do think that in the long run we are moving away fromend-to-end, towards some kind of trust-to-trust architectures [DaveClark]. But I'm afraid that such practises are at least 10 years in thefuture. And even there ephemeral, crypto-strong node-to-nodeidentifiers may be very useful. However, I do think that a HIP-likeintermediate step towards such architectures is probably very useful.It will take quite a long before the upper layers will be up to the taskof really managing trust-to-trust.

That's the only substantial reason I can think of to pursue networklayer identifiers -- identity should be handled by the functions thatneed it, but as long as they can't, we can coddle them by hiding theproblem from them.


Sorry this took so long.  I'm following up on this thread now.

Scott


--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg

Follow-Ups:
- Re: [RRG] On "jack-down" models
  - From: Pekka Nikander <pekka.nikander@nomadiclab.com>
- RE: [RRG] On "jack-down" models
  - From: Randall Atkinson <rja@extremenetworks.com>

References:
- [RRG] On "jack-down" models
  - From: "Tony Li" <tony.li@tony.li>
- Re: [RRG] On "jack-down" models
  - From: Scott Brim <swb@employees.org>
- Re: [RRG] On "jack-down" models
  - From: Pekka Nikander <pekka.nikander@nomadiclab.com>

Prev by Date: Re: [RRG] Mitigating the Downsides of NAT'ing
Next by Date: RE: [RRG] On "jack-down" models
Previous by thread: RE: [RRG] re: Some concern about the flat label as identifier
Next by thread: RE: [RRG] On "jack-down" models
Index(es):
- Date
- Thread