FWIW, on the particular topic of name stability, it might be worth consulting https://tools.ietf.org/html/draft-sctl-service-registration-00, particularly section 5, which talks about first-come, first-served name registration. The document is expired because we've been distracted by implementation recently, but a new version should be coming out shortly. This is of course an extension to DNSSD, and therefore can't be counted on to be present in existing devices, so for those devices the security of names isn't really possible to guarantee in any meaningful way—as you've both said, neither the MAC address nor the IP address can be used as an identifier with any confidence.
On Tue, Jun 19, 2018 at 11:50 AM, Andrew Sullivan <[email protected]> wrote: > On Mon, Jun 18, 2018 at 06:32:26PM -0400, Michael Richardson wrote: > > Users need to be able to connect policies (including, but not just > security > > policies) to both pretty names ("the office printer"), and to stable > > identies. Neither thing should have anything to do with IP addresses > > (which get renumbered), nor to MAC addresses (which may be more > frequently > > randomized, even for things like printers). > > I think this is right, but it seems to me we could be slightly more > formal. > > Over time, a device has one of more MAC address; the MAC address must > not be treated as a stable identifier because it may change over time. > > At a given time, a given MAC address may have 0 or more IP addresses > assigned. If any MAC address has an IP address assigned to it, that > address is expected to be assigned automatically. It is expected to > change. An {IP, MAC} tuple should not be treated as a stable > identifier because both elements of the identifier may change over > time. > > Each device will have at least one name. > > Some names are automatically assigned through the workings of mDNS or > hybrid multicast DNS (or both). In particular, when devices are > available by mDNS they are available by name, but the names are > checked (and if need be changed) algorithmically in order to prevent > duplication. Names are unique within the scope of the homenet, and > devices will change their names in the event of collision. > > Some names are generated by users, and assigned to devices, depnding > on whether the device supports that functionality. These names MUST > NOT be changed algorithmically by devices, and MUST NOT collide with > automatically-generated names. These names may be globally-unique, or > may be unique only in the scope of the homenet. > > > I _think_ that covers all the cases, but I might have missed > something. > > A > > -- > Andrew Sullivan > [email protected] > > _______________________________________________ > homenet mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/homenet >
_______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
