Re: [CGA-EXT] Review draft-ietf-csi-proxy-send-01

Tony Cheneau <tony.cheneau@it-sudparis.eu> Thu, 10 December 2009 21:58 UTC

Return-Path: <tony.cheneau@it-sudparis.eu>
X-Original-To: cga-ext@core3.amsl.com
Delivered-To: cga-ext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D48123A692C for <cga-ext@core3.amsl.com>; Thu, 10 Dec 2009 13:58:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.224
X-Spam-Level:
X-Spam-Status: No, score=-2.224 tagged_above=-999 required=5 tests=[AWL=0.025, BAYES_00=-2.599, HELO_EQ_FR=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bKmcjt+wMT7D for <cga-ext@core3.amsl.com>; Thu, 10 Dec 2009 13:58:06 -0800 (PST)
Received: from smtp4.int-evry.fr (smtp4.int-evry.fr [157.159.10.71]) by core3.amsl.com (Postfix) with ESMTP id 7F9303A68B7 for <cga-ext@ietf.org>; Thu, 10 Dec 2009 13:58:05 -0800 (PST)
Received: from smtp2.int-evry.fr (smtp2.int-evry.fr [157.159.10.45]) by smtp4.int-evry.fr (Postfix) with ESMTP id 86198FE0B3E; Thu, 10 Dec 2009 22:57:53 +0100 (CET)
Received: from smtp-ext.int-evry.fr (smtp-ext.int-evry.fr [157.159.11.17]) by smtp2.int-evry.fr (Postfix) with ESMTP id CB399404FAE; Thu, 10 Dec 2009 22:57:40 +0100 (CET)
Received: from alf94-6-82-226-232-167.fbx.proxad.net (alf94-6-82-226-232-167.fbx.proxad.net [82.226.232.167]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp-ext.int-evry.fr (Postfix) with ESMTP id B125F900AF; Thu, 10 Dec 2009 22:57:40 +0100 (CET)
Date: Thu, 10 Dec 2009 22:57:18 +0100 (CET)
From: Tony Cheneau <tony.cheneau@it-sudparis.eu>
X-X-Sender: shad@localhost.localdomain
To: Roque Gagliano <roque@lacnic.net>
In-Reply-To: <56298740-3547-4D80-B349-BB57123B274C@lacnic.net>
Message-ID: <alpine.LNX.2.00.0912102238350.11124@localhost.localdomain>
References: <alpine.LNX.2.00.0911191100150.7833@whitebox> <BF345F63074F8040B58C00A186FCA57F1C66087842@NALASEXMB04.na.qualcomm.com> <alpine.LNX.2.00.0911201144010.7546@whitebox> <BF345F63074F8040B58C00A186FCA57F1C65FB277D@NALASEXMB04.na.qualcomm.com> <alpine.LNX.2.00.0911211025090.11248@localhost.localdomain> <BF345F63074F8040B58C00A186FCA57F1C65FB2942@NALASEXMB04.na.qualcomm.com> <alpine.LNX.2.00.0911242317130.11124@localhost.localdomain> <BF345F63074F8040B58C00A186FCA57F1C65FB2A51@NALASEXMB04.na.qualcomm.com> <alpine.LNX.2.00.0911260951580.7596@whitebox> <37915D90-B246-48E4-9C7B-69DAF54FA43A@lacnic.net> <BF345F63074F8040B58C00A186FCA57F1C65FB2ECE@NALASEXMB04.na.qualcomm.com> <B2FDAE8C-CBC8-41BA-8604-B8A79AA763D7@lacnic.net> <BF345F63074F8040B58C00A186FCA57F1C65FB3043@NALASEXMB04.na.qualcomm.com> <5B84EA57-9C58-4968-BA15-8A43A555C50C@lacnic.net> <56298740-3547-4D80-B349-BB57123B274C@lacnic.net>
User-Agent: Alpine 2.00 (LNX 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-INT-MailScanner-Information: Please contact the ISP for more information
X-INT-MailScanner-ID: CB399404FAE.A89C6
X-INT-MailScanner: Found to be clean
X-INT-MailScanner-SpamCheck: n'est pas un polluriel, SpamAssassin (not cached, score=0.805, requis 6.01, BAYES_00 -2.60, FH_HELO_EQ_D_D_D_D 0.00, HELO_DYNAMIC_IPADDR 2.43, RCVD_IN_SORBS_DUL 0.88, RDNS_DYNAMIC 0.10)
X-INT-MailScanner-From: tony.cheneau@it-sudparis.eu
Cc: draft-ietf-csi-proxy-send@tools.ietf.org, Julien Laganier <julienl@qualcomm.com>, cga-ext@ietf.org
Subject: Re: [CGA-EXT] Review draft-ietf-csi-proxy-send-01
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Dec 2009 21:58:06 -0000

Hello Roque,

The text you extracted corresponds to a part of the Supported Signature
Option. The only part that is interesting here is the Signature Type
Identifier that can be stored in the Reserved field of the PSO.  Maybe a
more relevant text would be:

  Signature Type Identifier is a 5-bit field.  It corresponds to the
  Signature Type Identifier subfield (bits 3 to 7 of the Signature
  Algorithm field) in the Supported Signature Algorithm option (defined in
  [draft-cheneau-csi-send-sig-agility-01]).  It indicates the type of
  signature contained in the Digital Signature field.

And this kind of PSO format:
         0                   1                   2                   3
         0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |     Type      |    Length     |      Reserved       |   STI   |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |                                                               |
        |                          Key Hash                             |
        |                                                               |
        |                                                               |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |                                                               |
        .                                                               .
        .                       Digital Signature                       .
        .                                                               .
        |                                                               |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |                                                               |
        .                                                               .
        .                           Padding                             .
        .                                                               .
        |                                                               |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+



I think that the working group should discuss on what mechanism is to be
allowed for  Signature Agility in the newly defined * Signature Option
(PSO, here, but also Universal Signature Option). For example, we could
only require a 5 bit field as proposed here. This would allow us to
define new option and such, while waiting for a complete solution to be
approved by the working group.
What do you think ? Is that obvious or should we speak this any further
?

Regards,
 	Tony

On Thu, 10 Dec 2009, Roque Gagliano wrote:

> Julien,
>
> You can even include Tonys text about "Signature Algorithm":
> "
>   Signature Algorithm
>
>      A one-octet long field indicating a signature algorithm and the
>      corresponding hash algorithm that this node supports; this support
>      implies at least ability to verify signatures of this Signature
>      Algorithm algorithm.
>
>      If the first leftmost bit, bit 0, is set to 0, it indicates that
>      the emitter is able to perform signature checks only (i.e. no
>      signature generation with this type of signature algorithm).  If
>      this bit is set to 1, it indicates that the emitter has a public
>      key of this type and can generate signatures.  Bit 1 and 2 are
>      reserved.  Bit 3 to 7 are named Signature Type Identifier subfield
>      and encode an identifier for the signature algorithm and
>      corresponding hash algorithm.  Default values for the Signature
>      Type Identifier subfield defined in this document are taken in
>      part from the IANA-defined numbers for the IKEv2 protocol, i.e.
>      IANA registry named "IKEv2 Authentication Method":
>
>      *  Value 0 is RSA/SHA-1 (compatible with [RFC3971])
>
>      *  Value 1 is RSA/SHA-256
>
>      *  Section 5 of document [cheneau-csi-ecc-sig-agility] provides
>         values for ECDSA signature algorithm
> "
> Roque.
>
> On Dec 10, 2009, at 1:09 AM, Roque Gagliano wrote:
>
>> Hi Julian,
>>
>>>
>>> So in terms of prefix I agree that you want to use right of use rather than ownership, but in terms of CG-addresses, IMHO we do want to say ownership.
>>>
>>
>> The distinction is not so clear for me but I am fine with "no innovating".
>>
>>>> That is something I made clear in the CERT draft.
>>>
>>> But the focus of the CERT draft is on delegating authorization to advertize/use prefixes or addresses that are NOT cryptographically generated, thus there's no ownership involved.
>>>
>>>>> The lack of algorithm agility is generic to SEND and not specific to the Secure Proxy ND mechanism. When the WG concludes on how to move forward with algorithm agility, we can publish an RFC updating both RFC3971 and this to be RFC to add algorithm agility.
>>>>
>>>> So, we know there is a problem and probably know that SEC ADs are looking at these particular issues, however we would to advance this draft to the IESG hopping that it passes their LC with the promise to solve the issue later on? I only have been in CSI for a couple of months but does not sound proper IETF process to me.
>>>>
>>>> The agility discussion also included a signaling between the parties in order to select which algorithm to use. What we can do while that discussion is not over in the WG is to make sure that new SEND options have the possibility of identifying which algorithms each party are using, leaving the signaling part for later. This is similar to DNSSEC where in order to change from SHA-1 to SHA-256 probably all signatures will be for a while duplicated in the zone files.
>>>
>>> Would inclusion of an algorithm field in the PSO solve your concern?
>>
>> IMHO, it will help to move the document through the next step.
>>
>> Roque.
>>
>>> --julien
>>
>> -------------------------------------------------------------
>> Roque Gagliano
>> LACNIC
>> roque@lacnic.net
>> GPG Fingerprint: E929 06F4 D8CD 2AD8 9365  DB72 9E4F 964A 01E9 6CEE
>>
>
> -------------------------------------------------------------
> Roque Gagliano
> LACNIC
> roque@lacnic.net
> GPG Fingerprint: E929 06F4 D8CD 2AD8 9365  DB72 9E4F 964A 01E9 6CEE
>
>