Short version: I was wrong to assume there was no way of looking
up an ILNP Identifier to get a FQDN and/or
Locator(s).
The lookup is in principle possible with a Locator.
However, this assumes the /64 network whose Locator
this is has a fully functioning, securely and
rapidly updated reverse DNS lookup system.
Further to my recent message, in which I assumed that it was not
possible to look up an Identifier to get a FQDN and or Locator(s), I
just read in draft-rja-ilnp-intro-05:
Reverse DNS lookups, to find a node's Fully Qualified Domain Name
from the combination of a Locator and related Identifier value,
can be performed as at present.
However, this involves the reverse DNS of the /64 network being
securely updated with a FQDN. I am not sure how this could be done
securely or without a lot of trouble.
To make SeND or similar securely able to determine whether a lower
order 64 bit value such as VVVV was in fact an ILNP identifier, it
would be necessary for the requesting host to also provide a set of
upper 64 bits UUUU, and then for the SeND etc. system to do a reverse
DNS lookup on that. So the UUUU must be a locator in a previous
access network which has maintained its reverse DNS in some way.
Then the SeND etc. system could look up the FQDN and securely
determine whether the results included an ID record containing VVVV.
This would be a start to forcing the host to prove it had the
credentials to use this VVVV as an ILNP identifier, which would
overcome (in an expensive and probably slow fashion) one barrier to
securely checking hosts requests for a given low order set of bits in
its IP address.
However, I mentioned other barriers to this being possible - and it
would involve altering the behaviour of routers in IPv6 networks in
order to enable them to be usable for ILNP mobility whilst also being
immune to the attack proposed by Xiaohu Xu.
- Robin
_______________________________________________
rrg mailing list
[email protected]
http://www.irtf.org/mailman/listinfo/rrg
