[hipl-dev] [Bug 886509] Re: HIPv2: cryptoagility for DNS proxy

• From: Miika Komu <886509@xxxxxxxxxxxxxxxxxx>
• To: hipl-dev@xxxxxxxxxxxxx
• Date: Fri, 04 May 2012 14:54:32 -0000

Few clarifications after some discussion with Xin:

1. I realized that the issue is irrelevant of HIP version number because (in 
theory) it's possible to include new algos in HIPv1.
2. Retrieving identities with "get hi all" is not an idea solution because it's 
just the run time identity configuration, not the actual algorithm support. For 
example, the following scenario works:
* Initiator and Responder support both algos A and B
* Initiator has a run-time identity for algo A and Responder for B

As the list of algorithm is quite static, I would suggest to store in in
DNS proxy directly instead of querying from daemon. See the list of
supported algos e.g. in hipd/hidb.c:get_public_key(). You could add a
note in the file lib/core/protodefs.h near HIP_HI_xx definitions to
update also DNS proxy whenever new algorithms are introduced.

This way, no new command line parameters for DNS proxy are needed and
you can filter based on PK algorithm field. So, this should be quite
simple.

(Note: a new hipconf option would introduce an additional bottleneck to
the boot-up sequence between hipd and dnsproxy, so I am not encouraging
it)

-- 
You received this bug notification because you are a member of HIPL core
team, which is subscribed to HIPL.
https://bugs.launchpad.net/bugs/886509

Title:
  HIPv2: cryptoagility for DNS proxy

Status in Host Identity Protocol for Linux:
  New

Bug description:
  HIPv2 requires some agility also in the DNS proxy. Let's have a look
  at an example.

  Remote host advertises its HIs with the following algorithms in DNS:
  * x
  * y
  * z

  But the local host supports only the following algos for its HITs:
  * y

  The result: the DNS proxy of the local host looks up the remove HIs,
  it should return only the remote HIs with algo Y to maximize
  compatibility. In other words, the proxy filters out incompatible
  remote addresses.

  When the proxy does not find any compatible addresses, the results
  depends on local policy (i.e. command line argument to the proxy):
  either nothing gets returned or the proxy returns regular IP
  addresses.

  Feel free to comment, this is just my initial suggestion how to
  resolve this. I think we could have this feature already in HIPv1 even
  though it is not strictly speaking needed (but we do have multiple
  algos).

To manage notifications about this bug go to:
https://bugs.launchpad.net/hipl/+bug/886509/+subscriptions

Other related posts:

• » [hipl-dev] [Bug 886509] Re: HIPv2: cryptoagility for DNS proxy- Miika Komu
• » [hipl-dev] [Bug 886509] Re: HIPv2: cryptoagility for DNS proxy- Paul Tötterman
• » [hipl-dev] [Bug 886509] Re: HIPv2: cryptoagility for DNS proxy- Paul Tötterman
• » [hipl-dev] [Bug 886509] Re: HIPv2: cryptoagility for DNS proxy- Miika Komu
• » [hipl-dev] [Bug 886509] Re: HIPv2: cryptoagility for DNS proxy - Miika Komu
• » [hipl-dev] [Bug 886509] Re: HIPv2: cryptoagility for DNS proxy- Paul Tötterman
• » [hipl-dev] Re: [Bug 886509] Re: HIPv2: cryptoagility for DNS proxy- Miika Komu
• » [hipl-dev] Re: [Bug 886509] Re: HIPv2: cryptoagility for DNS proxy- Paul Tötterman
• » [hipl-dev] Re: [Bug 886509] Re: HIPv2: cryptoagility for DNS proxy- Miika Komu
• » [hipl-dev] [Bug 886509] Re: HIPv2: cryptoagility for DNS proxy- Paul Tötterman
• » [hipl-dev] [Bug 886509] Re: HIPv2: cryptoagility for DNS proxy- Miika Komu
• » [hipl-dev] [Bug 886509] Re: HIPv2: cryptoagility for DNS proxy- Miika Komu

1. Home
2. hipl-dev
3. Archive
4. 05-2012

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---