Author: tjansen Date: Thu Jan 27 17:35:41 2011 New Revision: 2430 Log: some clarifications for trustpoints/pairing Modified: docs/protocol_spec/application.tex Modified: docs/protocol_spec/application.tex ============================================================================== --- docs/protocol_spec/application.tex Thu Jan 27 16:50:40 2011 (r2429) +++ docs/protocol_spec/application.tex Thu Jan 27 17:35:41 2011 (r2430) @@ -128,10 +128,30 @@ Client and trustpoint need to know each other for the trustpoint to forward traffic towards the internet. For the client to "know" its trustpoint it needs to know its IPv4 address in the PISA address space and the HIT this IP resolves to. +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % ist das eigtl. korrekt ? kommt ja sehr auf die rolle des nutzers an, oder ? +%%%%%%%%%%%%%%%%%%%%%%% +% TJ: Nicht ganz. Die IPv4-Adresse im PISA-Namesraum (d.h. eine virtuelle IP) +% wird dem Client vom Server im Register Response mitgeteilt, die braucht vorab +% nicht bekannt zu sein. Was wohl benötigt wird, ist die public IP des +% Trustpoints. Die ist aber nicht im PISA Namensraum, sonder routbar im +% Internet. Da der TP aber typischerweise per DSL und damit mit +% nicht-statischer IP angebunden ist, muss hier mit DynDNS o.ä. gearbeitet +% werden, Details dazu stehen noch aus. +% In wie fern denn Rolle des Nutzers? Ein TP kann nur von einem Native Client +% benutzt werden, was die Rolle des Nutzers ziemlich einschränkt. +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% A client may only have one trustpoint, the trustpoint is thus added as the default route/gateway for any Internet-bound traffic For the trustpoint to only forward traffic by a trusted client, the HIT (and signed certificate) of this client needs to be known. This information is exchanged prior to the client requesting Internet-bound traffic during the \emph{pairing} of these devices. +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +% TJ: Clients haben keine Zertifikate, nur Trustpoints (und Service Gateways). +% Die Clients werden über ihre HIT eindeutig identifiziert. Im Pairing merkt +% sich der TP dann, welche HITs sozusagen whitelisted sind. +% Ein Client kann theoretisch mit mehreren TPs gepaired sein, es darf +% allerdings nur eine aktive Relay-Verbindung geben, damit das Routing im +% Client funktioniert. +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \item[Legacy router] -- This is the pisa developer mailing list. Please also subscribe to the main pisa list at: //www.freelists.org/list/pisa