[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: using Host Identity Protocol in Tor
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Paul Syverson wrote:
> I had an exchange with Geoff Goodell about HIP in late '05 early
> '06. Here are some concerns that he raised (for our discussion, not in
> response to the current one---but I think they are relevant).
Thanks for listing them though many of those have been resolved.
> 1. Every target service must be on board. This means that HIP does not
> provide an "outproxy" network by which we can contact existng, "legacy"
> services. Clearly, this conflicts with the "sharing perspectives"
> aspect of Blossom.
There are several HIP proxy implementations around that can interface a
HIP host to legacy hosts. Personally, I've written a HIP plug-in to a
generic protocol proxy OCALA from Berkeley.
> 2. Since the contenct of every packet must be encapsulated within a HIP
> datagram, we need to either (a) change the protocol stacks at the edges,
> or (b) tunnel (as we do in Tor). The latter requires substantial
> infrastructure development which is particularly cumbersome (and at the
> moment ill-specified).
On Linux HIP uses new IPsec mode BEET that has been accepted to kernel
2.6.19 so the protocol stack will be upgraded eventually. Otherwise HIP
encapsulation is done with TUN device with a user-space program.
> 3. Since its goal is separaating location information from identity,
> HIP does not provide a sufficient means of locating the endpoints.
> Without some sort of directory; we are left with querying and
> broadcasting, both of which are extremely inefficient. Building the
> directory is a much more interesting challenge than encapsulating the
> datagrams, in my opinion.
Currently HIP relies on public OpenDHT infrastructure (~200 servers on
PlanetLab) to make identity->location mapping. The other way is to
include an address of rendezvous server to DNS and provide current
location to RVS server. There are several RVS implementations available
with plans for wider deployment
Best,
Andrei
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFN33FP7jp0uceFkQRAj8BAJ9tK6K5oUJG9mryZ25s8s3h6lsV/wCfUsgr
cJUMBoeIQ30MqLJCIvBlb7s=
=YHrD
-----END PGP SIGNATURE-----