Hosting Provided By

Re: [Hipsec-rg] Some comments on draft-ahrenholz-hiprg-dht-01

From: Ahrenholz, Jeffrey M <jeffrey.m.ahrenholz(at)boeing.com>
Date: Wed Aug 08 2007 - 11:17:44 EDT

Samu,
I see why you were thinking about using BEX...

> Protection for this could be done with modifications to the
> DHT code to
> make it HIP enabled or then just check the signature in put msg. The
> second one is actually mentioned in
> OpenDHT: A Public DHT Service and Its Uses.

Yes, the second option of modifying the DHT server to verify signatures is also covered in Section 3.2 of the draft.

> Both of these approaches need modifications to bamboo code. Requiring
> BEX would offer some extra benefits like DoS prevention stuff. If DHT
> just checked the signature for every packet it would be easier for
> malicious users to
> get the DHT to do useless checks of msgs, but when requiring BEX it
> would at least slow them down.

So in summary of our last few emails, we have the following options:

normal hip-addr get/put
- no protection, can use OpenDHT
hip-secure-addr get/put w/client HIT/sig verification
- prevents record pollution, can use OpenDHT
hip-secure-addr get/put w/server HIT/sig verification
- prevents pollution and client flooding, must modify DHT
hip-secure-addr get/put over a HIP association w/server HIT comparison
- prevents server DoS, pollution, client flooding, response spoofing, etc.
- must modify DHT and run HIP
hip-secure-addr get/put over HIP association w/server HIT comparison, address check using HIP/SHIM6 API
- prevents server DoS, pollution, client flooding, response spoofing, etc.
- must modify DHT, run HIP, integrate with APIs

Options 1-3 are already covered in draft-ahrenholz-hiprg-dht-01. As Tom wrote in his reply, we should sketch out some requirements.

Maybe this draft should cover options 1-3 (or 1-2?) (with mention of the other options), with the goal of using OpenDHT for interoperability and easy deployment. I need to look at the drafts Philip referenced.

This draft could refer to a separate, more advanced HIP-aware DHT draft, that could deal with options 4 and 5. Maybe in the advanced draft a subset of the HIP hosts themselves are running an integrated HIP-aware DHT in a P2P fashion.

Do you need help?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related listserv.cybertrust.com Links hipsec-rg Request more information about Pantek

-Jeff

Hipsec-rg mailing list
Hipsec-rg@listserv.cybertrust.com
https://listserv.cybertrust.com/mailman/listinfo/hipsec-rg Received on Wed Aug 8 11:18:13 2007

This message: [ Message body ]
Next message: Miika Komu: "Re: [Hipsec-rg] Some comments on draft-ahrenholz-hiprg-dht-01"
Previous message: Samu Varjonen: "Re: [Hipsec-rg] Some comments on draft-ahrenholz-hiprg-dht-01"
In reply to: Samu Varjonen: "Re: [Hipsec-rg] Some comments on draft-ahrenholz-hiprg-dht-01"
Next in thread: Miika Komu: "Re: [Hipsec-rg] Some comments on draft-ahrenholz-hiprg-dht-01"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Mon Oct 29 2007 - 14:16:02 EDT