[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Hipsec] Question about multiple HIs for a single host

To: WongErnuz <runzewong at hotmail.com>
Subject: Re: [Hipsec] Question about multiple HIs for a single host
From: Jan Mikael Melen <Jan.Melen at nomadiclab.com>
Date: Wed, 06 Aug 2008 10:50:13 +0300
Cc: hipsec at ietf.org
Delivered-to: ietfarch-hipsec-web-archive at core3.amsl.com
Delivered-to: hipsec at core3.amsl.com
In-reply-to: <BAY117-W22C0B0DAD338067FA572D8A87A0@phx.gbl>
List-archive: <http://www.ietf.org/pipermail/hipsec>
List-help: <mailto:hipsec-request@ietf.org?subject=help>
List-id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-post: <mailto:hipsec@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
References: <BAY117-W22C0B0DAD338067FA572D8A87A0@phx.gbl>
Sender: hipsec-bounces at ietf.org
User-agent: Thunderbird 2.0.0.7pre (X11/20080131)

Hi,


Yes it is possible to posses multiple HIs. If I understood your concern
correctly then I'll just want to correct one wrong assumption you have
made. The responder (peer) gets both the initiator's HI and HIT in the
I2 message so it there is no need to extract the HI from the DNS in
order to verify the signature. When the I2 is received the responder
verifies that the HIT matches with the HI received in the packet.

Regards,
Jan


WongErnuz wrote:
> Hi!
>
> I've been reading drafts on HIP and related papaers, and I kinda got
> the idea that it is OK for a single host to possess multiple HIs (is
> that really possible?). If so, I think there has to be a one-to-one
> binding relationship between a certain HI and a FQDN, otherwise, when
> a peer host needs to extract the sender's HI from the DNS according to
> the received FQDN to check the signature, wouldn't it be possible for
> the host to obtain multiple HIs all at once? (since the sender has
> many HIs itself) Therefore, how is the host supposed to know which one
> to use? If HIP RR contains HIT in addition to HI, the receiver can
> compare the HIT received in the header with each of the HITs obtained
> from DNS to find the corresponding HI the sender is currently using
> with the FQDN. However, since HIT provision is optional in DNS, I
> think it is necessary to recommend each host use a unique HI for a
> particular FQDN to avoid the one-to-many mapping. Am I right?
>
> I'm sorry if the quesiton seems stupid; I'm new on this...
>
> ------------------------------------------------------------------------
> 使用新一代 Windows Live Messenger 轻松交流和共享！ 立刻下载！
> <http://im.live.cn/>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Hipsec mailing list
> Hipsec at ietf.org
> https://www.ietf.org/mailman/listinfo/hipsec
>   

_______________________________________________
Hipsec mailing list
Hipsec at ietf.org
https://www.ietf.org/mailman/listinfo/hipsec

References:
- [Hipsec] Question about multiple HIs for a single host
  - From: WongErnuz

Prev by Date: [Hipsec] Question about multiple HIs for a single host
Next by Date: [Hipsec] HIP Registration Extension (fwd)
Previous by thread: [Hipsec] Question about multiple HIs for a single host
Next by thread: [Hipsec] Question about multiple HIs for a single host
Index(es):
- Date
- Thread