Another topic for the open questions list:
- how to manage reverse DNS for CGEIDs? Can we provide some kind of
LISP-MAP->DNS-proxy acting as PrimaryDNS? Is it possible a LISP-site can
provide a RDNS-name for CGEID via the LISP mapping system for that
proxy?
Renne
Am 2013-11-08 16:53, schrieb Rene Bartsch:
We can call such an EID "CGEID" or "Cryptographically Generated
Endpoint IDentifier"! ;-)
Renne
Am 2013-11-08 16:14, schrieb Rene Bartsch:
Meanwhile I'm considering whether using a /64 EID-prefix with CGA
addresses is the easier solution for 1.)
It provides the following features for a single EID:
- self-assigned
- no registration necessary
- no fees
- static
- public
- globally roamable
- provider-independent
- EID-RLOC-mapping may be signed
- hosts can be authenticated
- the exchange of symmetric stream ciphers can be secured using the
CGA-RSA-keys (e.g. by IPSec)
It does not support the following features:
- routable subnets
Open questions:
- can EID-RLOC mappings be signed/is there a data field in the
distributed LISP-database structure for a signature?
- allow the LISP-RFCs a LISP-site to contact a map server without
authentication key and the map server checks only if the
EID-RLOC-mapping is signed correctly before publishing?
- how can (public) PITRs be encouraged to publish BGP-routes for a
CGA-EID to themselves?
- how can map servers be encouraged to provide a public service for
anonymous users with self-assigned CGA-EIDs?
Renne
Am 2013-11-08 13:16, schrieb Rene Bartsch:
Hi,
in the last week I proposed the idea of personal life-time
EID-prefixes. What worried me most was a infrastructure (LIRs?) to
assign EID-prefixes to natural persons.
Now, I have an idea to solve the assignment problem: EIDs hashed of
public RSA-keys.
Each device can generate a 4096-bit RSA-key pair and use a 128-bit
hash of the public RSA-key as EID. Using 128 bit would allow to blend
in the hashed EID into the IPv6 address space.
Security would also be improved as the RSA-key pair can be used to
authenticate a device by calculating if the EID matches the public
RSA-key of the device and the EID-RLOC-mapping entry on the map
servers can be signed with the RSA-key pair of the device.
Currently I'm considering the following two solutions:
1. /32 IPv6-prefix + 96-bit hash, low risk of EID collisions but
bloats mapping tables, suitable for single mobile devices
2. /8 IPv6-prefix + 56-bit hash, high risk of EID collisions but
goes
easy on mapping tables, suitable for a /64 subnet behind a PxTR
3. Both
Please comment the idea.
Renne
--
Best regards,
Rene Bartsch, B. Sc. Informatics
_______________________________________________
lisp mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/lisp
