[CGA-EXT] comments on draft-jiang-csi-dhcpv6-cga-ps-03.txt
marcelo bagnulo braun <marcelo@it.uc3m.es> Mon, 21 September 2009 06:55 UTC
Return-Path: <marcelo@it.uc3m.es>
X-Original-To: cga-ext@core3.amsl.com
Delivered-To: cga-ext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CF1903A657C for <cga-ext@core3.amsl.com>; Sun, 20 Sep 2009 23:55:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.567
X-Spam-Level:
X-Spam-Status: No, score=-6.567 tagged_above=-999 required=5 tests=[AWL=0.032, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yIvGlIOsAZNs for <cga-ext@core3.amsl.com>; Sun, 20 Sep 2009 23:55:33 -0700 (PDT)
Received: from smtp03.uc3m.es (smtp03.uc3m.es [163.117.176.133]) by core3.amsl.com (Postfix) with ESMTP id E3D283A6850 for <cga-ext@ietf.org>; Sun, 20 Sep 2009 23:55:32 -0700 (PDT)
Received: from marcelo-bagnulos-macbook-pro.local (wlap005.it.uc3m.es [163.117.139.108]) by smtp03.uc3m.es (Postfix) with ESMTP id AE19072C777 for <cga-ext@ietf.org>; Mon, 21 Sep 2009 08:56:31 +0200 (CEST)
Message-ID: <4AB723A1.5020107@it.uc3m.es>
Date: Mon, 21 Sep 2009 08:56:33 +0200
From: marcelo bagnulo braun <marcelo@it.uc3m.es>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: "cga-ext@ietf.org" <cga-ext@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-TM-AS-Product-Ver: IMSS-7.0.0.3116-5.6.0.1016-16900.003
Subject: [CGA-EXT] comments on draft-jiang-csi-dhcpv6-cga-ps-03.txt
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Sep 2009 06:55:33 -0000
Hi, i have a few comments on draft-jiang-csi-dhcpv6-cga-ps-03.txt In section 3. What DHCPv6 can do for CGA it reads: Generating a key pair, which will be used to generate a CGA, also requires a notable computation. Generation and distribution of a key pair can also be done by DHCPv6 server. Of course, when designing these new functions, one should carefully consider the impact on security. However, the security considerations of specific solutions are out of scope of this document. While i agree that the security aspects of a specific solution are out of scope, i am not sure we can completelly dump the issue. I mean, in order for the DHCP server to convey the SEC information, the ecurity is critical. Is it really feasible to provide enough security, without breaking the dhcp model? I think further analysis on this is needed. Then, in 4. What CGA can do for DHCPv6, it is described that CGa can be used to secure dhcp. Now, i think a bit more analysis of what features would be provided if we do this i.e. what types of attacks are prevented, it would be useful AFAICT, this would much like an ssh type f security (i.e. also called oportunistic or leap of faith security) I think this is worht the trouble, But i think needs to be more clearly stated. So, if we cover these two topics, i think the document does a fairly good job analysis the different apsects. Now, i think it would be interesting also to discuss (even though maybe not include in the document at this point) what parts of this interaction we would like to work on if any. Regards, marcelo
- [CGA-EXT] comments on draft-jiang-csi-dhcpv6-cga-… marcelo bagnulo braun
- Re: [CGA-EXT] comments on draft-jiang-csi-dhcpv6-… Sheng Jiang