IETF Logo Mail Archive

Re: [CGA-EXT] New Version for draft-krishnan-csi-proxy-send-00

"Jean-Michel Combes" <jeanmichel.combes@gmail.com> Wed, 18 June 2008 18:01 UTC

Return-Path: <cga-ext-bounces@ietf.org>
X-Original-To: cga-ext-archive@optimus.ietf.org
Delivered-To: ietfarch-cga-ext-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D67463A6A5A; Wed, 18 Jun 2008 11:01:53 -0700 (PDT)
X-Original-To: cga-ext@core3.amsl.com
Delivered-To: cga-ext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D01BB3A6A5A for <cga-ext@core3.amsl.com>; Wed, 18 Jun 2008 11:01:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.214
X-Spam-Level:
X-Spam-Status: No, score=-1.214 tagged_above=-999 required=5 tests=[AWL=-0.915, BAYES_00=-2.599, MANGLED_TRNFER=2.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lZVldXdNcSwx for <cga-ext@core3.amsl.com>; Wed, 18 Jun 2008 11:01:51 -0700 (PDT)
Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.225]) by core3.amsl.com (Postfix) with ESMTP id CF8D43A6998 for <cga-ext@ietf.org>; Wed, 18 Jun 2008 11:01:51 -0700 (PDT)
Received: by rv-out-0506.google.com with SMTP id b25so5639097rvf.49 for <cga-ext@ietf.org>; Wed, 18 Jun 2008 11:02:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=T/PJAsoGAChAM9FSZZQnu6czGh2DsQwfAQEr5m/OV0E=; b=SPCZKRkYRBbOkrzSbzPrvb5qaugu24qSjUsPLa9uLTixduZcnS3HvZrGjF+4bTw04w vf4cBXW89XsUMz7HdnIMfaPC5kIrvRjRZ34sTPcNQbwDqiPg9QvQyNpCZF4AZs/HslDL O8fA8PcxTD+BTVRvp77CXREnd+EqV1STYlelU=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=tFSzyuYAq2ogOFZ43FtEzBhIqRA0rC3srEZAzhAF3833J5NGymSmNN+oyp65oCoLDA 0j4lpNJH1MTGfo5v3/dkWG7v7XuGqjiRQ5wfAtUhvkO1LM0rYXQMJh7NX6BwaWYErflG zI0Co68NJgXWP0QEQd5Z02yFh+CA1gCSyOgHA=
Received: by 10.141.136.19 with SMTP id o19mr5642556rvn.281.1213812160012; Wed, 18 Jun 2008 11:02:40 -0700 (PDT)
Received: by 10.141.189.15 with HTTP; Wed, 18 Jun 2008 11:02:39 -0700 (PDT)
Message-ID: <729b68be0806181102n12449c7ahe631c725a5ce3ad1@mail.gmail.com>
Date: Wed, 18 Jun 2008 20:02:39 +0200
From: Jean-Michel Combes <jeanmichel.combes@gmail.com>
To: Julien Laganier <julien.IETF@laposte.net>
In-Reply-To: <200806121653.22293.julien.IETF@laposte.net>
MIME-Version: 1.0
Content-Disposition: inline
References: <729b68be0806061730y7bf7f8e7ld3d2b2a5de4155f5@mail.gmail.com> <200806121653.22293.julien.IETF@laposte.net>
Cc: cga-ext@ietf.org
Subject: Re: [CGA-EXT] New Version for draft-krishnan-csi-proxy-send-00
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: cga-ext-bounces@ietf.org
Errors-To: cga-ext-bounces@ietf.org

Hi Julien,

2008/6/12, Julien Laganier <julien.IETF@laposte.net>:
> Hello Jean-Michel,
>
>
>  On Saturday 07 June 2008, Jean-Michel Combes wrote:
>  > Hi,
>  >
>  > After a quick review, I have one comment and one question:
>  > - IMHO, your solution should work too with anycast addresses case
>
>
> It seems so. It also seems it would work to secure NS/NA exchange based
>  on certificates rather than CGA.

Not sure that certs defined in krishnan-cgaext-send-cert-eku are well
adapted for such a use: IMHO, prefix ownership is not the same as
address ownership.

> To achieve that it would also be
>  necessary to define another EKU (extended key usage) for "Address
>  ownership", in addition to "Router" and "Proxy".

But what is in the cert when you want to use it to proxy NS/NA? An
address or a prefix?

>
>
>  > - How will a ND-Proxy get the certificate authorizing it to act as an
>  > ND-Proxy?
>
>
> In the same fashion that a Router gets the certificate authorizing it to
>  act as a router.

May I have details in the case of the MIPv6 scenario? Specially, who
does provide the cert?

Cheers.

JMC.

>
>  Cheers,
>
>
>  --julien
>
>
>  > 2008/6/6, Julien Laganier <julien.IETF@laposte.net>:
>  > > Folks,
>  > >
>  > >  Sorry for the noise, but another update of the Secure Proxy ND
>  > > Support for SEND has been posted. It fixes some misreferences and
>  > > has a filename matching the WG name, thus it should appear in the
>  > > tools.ietf.org page.
>  > >
>  > >  The new draft has support for ND proxy as per:
>  > >  - ND proxies [RFC4389]
>  > >  - MIPv6 Home Agent [RFC3775]
>  > >  - PMIPv6 Mobility Access Gateway [I-D.ietf-netlmm-proxymip6]
>  > >
>  > >  You can find it there:
>  > >
>  > >
>  > > <http://www.ietf.org/internet-drafts/draft-krishnan-csi-proxy-send-
>  > >00.txt>
>  > >
>  > >  Comments are still welcome!
>  > >
>  > >
>  > >  --julien
>  > >
>  > >
>  > >
>  > > ---------- Message transféré ----------
>  > > From: IETF I-D Submission Tool <idsubmission@ietf.org>
>  > > To: julien.ietf@laposte.net
>  > > Date: Fri, 6 Jun 2008 08:24:12 -0700 (PDT)
>  > > Subject: New Version Notification for
>  > > draft-krishnan-csi-proxy-send-00
>  > >
>  > >  A new version of I-D, draft-krishnan-csi-proxy-send-00.txt has
>  > > been successfuly submitted by Julien Laganier and posted to the
>  > > IETF repository.
>  > >
>  > >  Filename:        draft-krishnan-csi-proxy-send
>  > >  Revision:        00
>  > >  Title:           Secure Proxy ND Support for SEND
>  > >  Creation_date:   2008-06-06
>  > >  WG ID:           Independent Submission
>  > >  Number_of_pages: 22
>  > >
>  > >  Abstract:
>  > >  Secure Neighbor Discovery (SEND) specifies a method for securing
>  > >  Neighbor Discovery (ND) signaling against specific threats.  As
>  > >  specified today, SEND assumes that the node advertising an address
>  > > is the owner of the address and is in possession of the private key
>  > > used to generate the digital signature on the message.  This means
>  > > that the Proxy ND signaling initiated by nodes that do not possess
>  > > knowledge of the address owner's private key cannot be secured
>  > > using SEND.  This document extends the current SEND specification
>  > > with support for Proxy ND, the Secure Proxy ND Support for SEND.
>  > >
>  > >
>  > >
>  > >  The IETF Secretariat.
>  > >
>  > >
>  > >
>  > >
>  > > _______________________________________________
>  > >  CGA-EXT mailing list
>  > >  CGA-EXT@ietf.org
>  > >  https://www.ietf.org/mailman/listinfo/cga-ext
>  >
>  > _______________________________________________
>  > CGA-EXT mailing list
>  > CGA-EXT@ietf.org
>  > https://www.ietf.org/mailman/listinfo/cga-ext
>
>
>
_______________________________________________
CGA-EXT mailing list
CGA-EXT@ietf.org
https://www.ietf.org/mailman/listinfo/cga-ext

v2.23.0 | Report a Bug | By Email