HIPv2: cryptoagility for DNS proxy
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
HIPL |
New
|
Low
|
Paul Tötterman |
Bug Description
HIPv2 requires some agility also in the DNS proxy. Let's have a look at an example.
Remote host advertises its HIs with the following algorithms in DNS:
* x
* y
* z
But the local host supports only the following algos for its HITs:
* y
The result: the DNS proxy of the local host looks up the remove HIs, it should return only the remote HIs with algo Y to maximize compatibility. In other words, the proxy filters out incompatible remote addresses.
When the proxy does not find any compatible addresses, the results depends on local policy (i.e. command line argument to the proxy): either nothing gets returned or the proxy returns regular IP addresses.
Feel free to comment, this is just my initial suggestion how to resolve this. I think we could have this feature already in HIPv1 even though it is not strictly speaking needed (but we do have multiple algos).
Changed in hipl: | |
assignee: | nobody → Paul Tötterman (paul-totterman) |
So I should just filter the DNS answers based on the PK algorithm field in the HIP RR? Any suggestions for how I should know which algorithms the local HIP daemon supports? Generate python code based on ./configure or ask the daemon through hipconf at hipdnsproxy startup?