>>It seems to me that we may be able to recapture some aspects of end-to-end
>>transparency at the application level if addressing issues are focused on
>>host FQDNs, rather than IP addresses.
>this works to some extent. it specifically doesn't work for applications
>that need to rendezvous with specific processes on specific hosts
>(or which need to use specific interface addresses, say for performance
>reasons), since a single FQDN often corresponds to multiple hosts.
>(or, less frequently, to multiple addresses on a single host).
Specific processes can be and almost always are identified by a port number.
Just as TCP connections are identified as a 4-tuple of sender and receiver
IP address and port number, an application layer session would be identified
by a 4-tuple of sender and receiver FQDN and port.
Each interface has a different IP number, does it not? So each can have
it's own FQDN if they need to be distinguished.
>note also that DNS is often slow, and seems less reliable than IP.
>by increasing the reliance on DNS you increase the probability of failure.
Yes, so DNS can occasionally fail. But embedding addresses as a name in a
protocol is guaranteed to fail in increasingly common situations.
Finally, some have argued that DNS is less secure, but it seems that IP
numbers can be spoofed as easily as FQDNs, and an FQDN can always be
double-checked with a DNSSEC lookup if critical.
- dan
P.S. And now I'll embarrass myself with a silly idea. Could one create an
automatic tunneling mode to securely send encrypted IPsec streams through a
NAT by adding an IP option which also identifies the FQDN of the destination
host? That is, the IP address would get the packet to the NAT, and the NAT
would use the embedded FQDN to forward the packet to the correct destination
host, using IP in IP encapsulation. The destination host would need to have
knowledge of its external address, but the NAT would not need access to the
destination host's encryption keys and so security would not be compromised.
--
Daniel Kohn <mailto:[EMAIL PROTECTED]>
tel:+1-425-519-7968 fax:+1-425-602-6223
http://www.dankohn.com
