Re: [CGA-EXT] WGLC for draft-ietf-csi-dhcpv6-cga-ps-01.txt

Sheng Jiang <shengjiang@huawei.com> Wed, 21 April 2010 02:53 UTC

Return-Path: <shengjiang@huawei.com>
X-Original-To: cga-ext@core3.amsl.com
Delivered-To: cga-ext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 94E223A6BFC for <cga-ext@core3.amsl.com>; Tue, 20 Apr 2010 19:53:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.392
X-Spam-Level:
X-Spam-Status: No, score=-1.392 tagged_above=-999 required=5 tests=[AWL=0.907, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ma5hfwixTafc for <cga-ext@core3.amsl.com>; Tue, 20 Apr 2010 19:53:58 -0700 (PDT)
Received: from szxga04-in.huawei.com (szxga04-in.huawei.com [119.145.14.67]) by core3.amsl.com (Postfix) with ESMTP id 51B303A6BFA for <cga-ext@ietf.org>; Tue, 20 Apr 2010 19:53:58 -0700 (PDT)
Received: from huawei.com (szxga04-in [172.24.2.12]) by szxga04-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0L17008YQHBJQB@szxga04-in.huawei.com> for cga-ext@ietf.org; Wed, 21 Apr 2010 10:52:31 +0800 (CST)
Received: from huawei.com ([172.24.2.119]) by szxga04-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0L170044YHBIXG@szxga04-in.huawei.com> for cga-ext@ietf.org; Wed, 21 Apr 2010 10:52:30 +0800 (CST)
Received: from j66104a ([10.111.12.115]) by szxml06-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTPA id <0L1700D74HBI2P@szxml06-in.huawei.com> for cga-ext@ietf.org; Wed, 21 Apr 2010 10:52:30 +0800 (CST)
Date: Wed, 21 Apr 2010 10:52:30 +0800
From: Sheng Jiang <shengjiang@huawei.com>
In-reply-to: <1976F3118BF0443481221A22A5EAEF92@bombo>
To: =?iso-8859-1?Q?'Alberto_Garc=EDa'?= <alberto@it.uc3m.es>, 'marcelo bagnulo braun' <marcelo@it.uc3m.es>, cga-ext@ietf.org
Message-id: <001d01cae0fd$af56f5e0$730c6f0a@china.huawei.com>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
X-Mailer: Microsoft Office Outlook 11
Content-type: text/plain; charset=iso-8859-1
Content-transfer-encoding: quoted-printable
Thread-index: AcrgYt1v+tjTTbW5Q869JgngZxmrywAB8x6wACLf3CA=
Cc: draft-ietf-csi-dhcpv6-cga-ps@tools.ietf.org
Subject: Re: [CGA-EXT] WGLC for draft-ietf-csi-dhcpv6-cga-ps-01.txt
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Apr 2010 02:53:59 -0000

Dear Alberto,

Thanks for your comments. Most of them will be addressed in an update
version after WGLC among with other comments we may received. Detailed
replies in lines.

Best regards,

Sheng 

> -----Original Message-----
> From: Alberto García [mailto:alberto@it.uc3m.es] 
> Sent: Tuesday, April 20, 2010 6:25 PM
> To: 'marcelo bagnulo braun'; cga-ext@ietf.org
> Cc: draft-ietf-csi-dhcpv6-cga-ps@tools.ietf.org
> Subject: RE: [CGA-EXT] WGLC for draft-ietf-csi-dhcpv6-cga-ps-01.txt
> 
> Hi,
> Some comments:
> 
> In section 4 (What CGA can do for DHCPv6), it would help to 
> describe the scenario in which CGAs can be used, i.e. 
> indicating which of the elements use CGA, and in which part 
> of the DHCP configuration process can be beneficial the use 
> of CGA. Even though the draft is not devoted to solutions, at 
> least it should be shown a scenario in which a possible 
> solution could be developed.

CGA can be used for all DHCP messages/processes as long as CGA is available.
We will make it clearer in the update version.
 
> In fact, I do not clearly see why using CGA is an advantage in this
> scenario: CGA are good to state that a node has the 
> authorization to use a given address, but it is not clear to 
> me that it is to say that a node has the authorization to act 
> as something (a DHCP server, a relay). For this, some 
> configuration is required to bind the 'authorization' to the 
> CGA address. How is this done?
> You then say a possible way of achieving this

This kind of authorization is based on pre-configuration conditions. For
example, a node has been pre-configured a public key of a certain DHCP
server (or a trust anchor). We will make it clearer in the update version.
 
> "The minimum level of pre-configuration is to 
>    configure public keys on both parties of communication or have a 
>    third party authority available for users to retrieve public keys."
> 
> Well, the nice thing of CGA is that you don't need to know in 
> advance keys, but addresses (and the addresses can be 
> securely bound to keys dynamically, by means of conveying the 
> CGA parameter data structure, which is verified to see that 
> the binding is correct).

Agree. However, there is no any restriction that CGA can be used with
authority information together. This draft does not propose any concrete
solution, but list the possibilities. Of course, we should explain clearly
the scenario without any pre-configuration. It will be in the update
version.
 
> I think the configuration should be just the CGA address. But 
> then, if you need configuration, which is the benefit over IPsec? 
> AFAIU IPsec has a number of benefits on its own: it is the 
> current standard for use in DCHP exchange, it allows 
> negotiation of security parameters so it is more secure than 
> CGAs... The nice thing of CGAs is that in general you use 
> them without configuring anything or just by using them as 
> addresses (you just configure the DNS, and that's all).

The same with above.
 
> May be I'm not understanding properly this part. Can you be 
> more specific?
> In addition, as a problem statement document, it should be 
> more exhaustive in detailing all the problems which can be 
> addressed by CGAs (even though there is no detail on the solution).

If you meant the scenario without any pre-configuration, it will be included
in the update version. If you think there are other missing, please point
out. We are glad to include.
 
> ---
> In the second paragraph of the introduction you say:
> 
> "By using the associated public & private keys 
>    as described by SEcure Neighbor Discovery (SEND) 
> [RFC3971], CGAs can 
>    protect the Neighbor Discovery Protocol (NDP) [RFC4861], i.e. they 
>    can provide address validation and integrity protection for NDP 
>    messages."
> 
> Although this is true, of course, I don't see the point in 
> just considering here0020one protocol which use CGAs. The 
> draft is about configuring CGAs, and this CGAs can be used 
> for any purpose (SEND, SHIM6, any other). Here it seems there 
> is a specific dependency on SEND, which I think is not the case.
> I would replace with: 
> "CGAs are used in protocols such as SEND [RFC3971] or SHIM6 
> [RFC5533]."  or something similar.

It will be addressed in the update version. Many thanks for your valuable
comments.

Best regards,

Sheng
 
> ----
> 
> Regards,
> Alberto
> 
> |  -----Mensaje original-----
> |  De: cga-ext-bounces@ietf.org [mailto:cga-ext-bounces@ietf.org] En 
> | nombre
> de
> |  marcelo bagnulo braun
> |  Enviado el: martes, 20 de abril de 2010 10:23
> |  Para: cga-ext@ietf.org
> |  CC: draft-ietf-csi-dhcpv6-cga-ps@tools.ietf.org
> |  Asunto: [CGA-EXT] WGLC for draft-ietf-csi-dhcpv6-cga-ps-01.txt
> |  
> |  Hi,
> |  
> |  This note issues the WGLC for draft-ietf-csi-dhcpv6-cga-ps-01.txt
> |  Please, review the document and send your comments before 
> april the 10th.
> |  
> |  For your convenience, you can find the document at  
> | http://datatracker.ietf.org/doc/draft-ietf-csi-dhcpv6-cga-ps/
> |  
> |  Regards, marcelo
> |  
> |  _______________________________________________
> |  CGA-EXT mailing list
> |  CGA-EXT@ietf.org
> |  https://www.ietf.org/mailman/listinfo/cga-ext
>