[CGA-EXT] Comments on draft-jiang-dhc-secure-dhcpv6-02
Tony Cheneau <tony.cheneau@it-sudparis.eu> Thu, 24 September 2009 14:55 UTC
Return-Path: <tony.cheneau@it-sudparis.eu>
X-Original-To: cga-ext@core3.amsl.com
Delivered-To: cga-ext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 58F723A6957; Thu, 24 Sep 2009 07:55:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.249
X-Spam-Level:
X-Spam-Status: No, score=-2.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_FR=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mg4t0NLFF+-R; Thu, 24 Sep 2009 07:55:34 -0700 (PDT)
Received: from smtp4.int-evry.fr (smtp4.int-evry.fr [157.159.10.71]) by core3.amsl.com (Postfix) with ESMTP id 8A7E83A687E; Thu, 24 Sep 2009 07:55:34 -0700 (PDT)
Received: from smtp2.int-evry.fr (smtp2.int-evry.fr [157.159.10.45]) by smtp4.int-evry.fr (Postfix) with ESMTP id 28DC9FE1FE2; Thu, 24 Sep 2009 16:56:42 +0200 (CEST)
Received: from smtp-ext.int-evry.fr (smtp-ext.int-evry.fr [157.159.11.17]) by smtp2.int-evry.fr (Postfix) with ESMTP id 3296B404FA5; Thu, 24 Sep 2009 16:56:38 +0200 (CEST)
Received: from [157.159.103.79] (unknown [157.159.103.79]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp-ext.int-evry.fr (Postfix) with ESMTP id 1B94690011; Thu, 24 Sep 2009 16:56:38 +0200 (CEST)
Date: Thu, 24 Sep 2009 16:56:42 +0200
From: Tony Cheneau <tony.cheneau@it-sudparis.eu>
X-X-Sender: shad@whitebox
To: shengjiang@huawei.com, Sean Shen <shenshuo@cnnic.cn>
Message-ID: <alpine.LNX.2.00.0909241639070.13009@whitebox>
User-Agent: Alpine 2.00 (LNX 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format="flowed"; charset="US-ASCII"
X-INT-MailScanner-Information: Please contact the ISP for more information
X-INT-MailScanner-ID: 3296B404FA5.A7388
X-INT-MailScanner: Found to be clean
X-INT-MailScanner-SpamCheck: n'est pas un polluriel, SpamAssassin (not cached, score=-2.91, requis 6.01, autolearn=not spam, ALL_TRUSTED -1.80, BAYES_05 -1.11)
X-INT-MailScanner-From: tony.cheneau@it-sudparis.eu
Cc: dhcwg@ietf.org, cga-ext@ietf.org
Subject: [CGA-EXT] Comments on draft-jiang-dhc-secure-dhcpv6-02
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Sep 2009 14:55:35 -0000
Hello, I read draft-jiang-dhc-secure-dhcpv6-02 and I have the following comments: - you should remain consistent and always use the term CGA Parameters (sometimes, the 's' is lacking). - section 6.3, "The CGA of a client will not lose during relaying." needs to be corrected (does not make much sense). - in the same section, maybe due to a lack of knowledge in the DHCPv6 protocol, I fail to understand how the Relay Agent will prove the DHCP Client's address ownership to the DHCP server and how the Relay Agent will prove the DHCP server authorization to the DHCP Client. Can you enlighten me on this point ? - the document is rather fuzzy on how you deploy certificates on DHCP routers to perform the ADD. If you plan to reuse the certificate deployed on SEND routers, it would be wise to provide an "extended key usage" value for the authorization to act as a DHCP server (there is already value for proxying functionalities and such defined draft-ietf-csi-send-cert). - also, the text is not clear on the fact that DHCP Server MUST use certificate to prove its authority. I think the text should be clarified on that point. Best regards, Tony Cheneau
- [CGA-EXT] Comments on draft-jiang-dhc-secure-dhcp… Tony Cheneau
- Re: [CGA-EXT] Comments on draft-jiang-dhc-secure-… Sheng Jiang