On 2009-07-24 04:12, Fleischman, Eric wrote: > Hi, Lixia! > > Concerning my unclear statement (i.e., your "I do not see the > implication here." comment), what I was trying to convey is the > following logic flow: > 1) not all identifiers should be at the IP layer -- some logically occur > at other layers > 2) just because identifiers are at several layers, one can still > correlate between them (e.g., for network management or security) as > long as that layer isn't encrypted.
Agreed on both counts. Slightly orthogonally, there's draft-carpenter-behave-referral-object-00.txt, which aims at how the applications layer might achieve 2), among other things. But in writing that, we found ourselves pretty much forced to tackle the problem of identifiers for addressing scopes, i.e. a form of meta-identifier at layer 3. Brian > > The reason I made this statement is that some postings seemed to imply > (or, at least, this is how I read them) that routing identifiers have to > solve all problems. I disagree: routing identifiers need to solve > routing problems but other problems can be solved by identifiers at > other layers. > > This observation is hopefully obvious but what excites me is what it > means to ancillary requirements such as security and network management. > As you may know, I've been keen for about a decade on the concept of > "security zones" in which one can have unique policies for parts of a > routing infrastructure to handle unique requirements of a community of > interest. I therefore consider the various insights of the RRG postings > to see their implications to this type of goal, which is why I felt the > need to mention something which to others is hopefully obvious. > Specifically, security zones theoretically can be made by routing policy > at the IP layer (e.g., policy-based routing) but I am currently > discouraged at how this works, except for VPNs and map-and-encaps, which > really are parallel (complementary) routing systems. Therefore, I am > currently trying to do this at the "IPsec layer" or above. I am curious > whether LISP, for example, could be used to support security zones but I > haven't pursued that idea myself. I wonder if others have? > > I am also naturally interested if others have had more success doing > security zones solely at the IP layer, but that is probably out-of-scope > for the RRG and so I didn't want to go there in postings to this WG. > > -----Original Message----- > From: Lixia Zhang [mailto:[email protected]] > Sent: Wednesday, July 22, 2009 11:52 PM > To: Fleischman, Eric > Cc: [email protected] > Subject: Re: [rrg] Next topic: properties of identifiers > > <snip> > >> The thing that bothers me about this otherwise excellent discussion is > >> that I interpret these emails as implying that all identifiers must be > >> known at the IP layer. > > Hi Eric, I do not see the implication here. > > <snip> > > _______________________________________________ > rrg mailing list > [email protected] > http://www.irtf.org/mailman/listinfo/rrg > _______________________________________________ rrg mailing list [email protected] http://www.irtf.org/mailman/listinfo/rrg
