Re: [CGA-EXT] Review draft-ietf-csi-proxy-send-01

"Laganier, Julien" <> Wed, 09 December 2009 17:01 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AF23F28C1A2 for <>; Wed, 9 Dec 2009 09:01:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -103.625
X-Spam-Status: No, score=-103.625 tagged_above=-999 required=5 tests=[AWL=-1.026, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id CXk-IBN0Nzv7 for <>; Wed, 9 Dec 2009 09:01:14 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 889B828C19C for <>; Wed, 9 Dec 2009 09:01:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=qcdkim; t=1260378064; x=1291914064; h=from:to:cc:date:subject:thread-topic:thread-index: message-id:references:in-reply-to:accept-language: content-language:x-ms-has-attach:x-ms-tnef-correlator: acceptlanguage:content-type:content-transfer-encoding: mime-version:x-ironport-av; z=From:=20"Laganier,=20Julien"=20<> |To:=20Roque=20Gagliano=20<>|CC:=20"draft"=0D=0A=09<draft-ietf->,=0D=0A=20=20=20=20=20=20 =20=20""=0D=0A=09<>|Date: =20Wed,=209=20Dec=202009=2009:00:59=20-0800|Subject:=20RE :=20[CGA-EXT]=20Review=20draft-ietf-csi-proxy-send-01 |Thread-Topic:=20[CGA-EXT]=20Review=20draft-ietf-csi-prox y-send-01|Thread-Index:=20Acp4wMl+JnGSdj/8Q+maARSMTXlnSgA LcgdA|Message-ID:=20<BF345F63074F8040B58C00A186FCA57F1C65>|References:=20<alpine .LNX.2.00.0911191100150.7833@whitebox>=0D=0A=09<BF345F630 .com>=0D=0A=09<alpine.LNX.2.00.0911201144010.7546@whitebo x>=0D=0A=09<BF345F63074F8040B58C00A186FCA57F1C65FB277D@NA>=0D=0A=09<alpine.LNX.2.00.09112 11025090.11248@localhost.localdomain>=0D=0A=09<BF345F6307 com>=0D=0A=09<alpine.LNX.2.00.0911242317130.11124@localho st.localdomain>=0D=0A=09<BF345F63074F8040B58C00A186FCA57F>=0D=0A=09<alpine.L NX.2.00.0911260951580.7596@whitebox>=0D=0A=09<37915D90-B2>=0D=0A=09<BF345F6307 com>=0D=0A=20<B2FDAE8C-CBC8-41BA-8604-B8A79AA763D7@lacnic .net>|In-Reply-To:=20<B2FDAE8C-CBC8-41BA-8604-B8A79AA763D>|Accept-Language:=20en-US|Content-Language: =20en-US|X-MS-Has-Attach:|X-MS-TNEF-Correlator: |acceptlanguage:=20en-US|Content-Type:=20text/plain=3B=20 charset=3D"us-ascii"|Content-Transfer-Encoding:=20quoted- printable|MIME-Version:=201.0|X-IronPort-AV:=20E=3DMcAfee =3Bi=3D"5400,1158,5826"=3B=20a=3D"29472707"; bh=KY6AwaZjpbM2Fao8bFsxWg11J/zhOAb3QIroZ6JW3mI=; b=tllz9ZSyV8v9QtCcQcDBNPzTD9ueX07pgRMPAfxKdsJmjggIZIqmBiWe wDDqO/mEDqpiktDMG1CWEHFhxXDMq2f4EhwIL25mdvJmmFfAc63BNOVON GdgPS54eVIZ/lA2CyTdo9vf6CW6KMgxGe/UmW8J2aqGnXI08PfviAYPhQ s=;
X-IronPort-AV: E=McAfee;i="5400,1158,5826"; a="29472707"
Received: from (HELO ([]) by with ESMTP; 09 Dec 2009 09:01:03 -0800
Received: from ( []) by (8.14.2/8.14.2/1.0) with ESMTP id nB9H12VG003572 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Wed, 9 Dec 2009 09:01:02 -0800
Received: from ( []) by (8.14.2/8.14.2/1.0) with ESMTP id nB9H112w010232 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Wed, 9 Dec 2009 09:01:01 -0800
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Wed, 9 Dec 2009 09:01:01 -0800
Received: from ([]) by ([]) with mapi; Wed, 9 Dec 2009 09:01:01 -0800
From: "Laganier, Julien" <>
To: Roque Gagliano <>
Date: Wed, 9 Dec 2009 09:00:59 -0800
Thread-Topic: [CGA-EXT] Review draft-ietf-csi-proxy-send-01
Thread-Index: Acp4wMl+JnGSdj/8Q+maARSMTXlnSgALcgdA
Message-ID: <>
References: <alpine.LNX.2.00.0911191100150.7833@whitebox> <> <alpine.LNX.2.00.0911201144010.7546@whitebox> <> <alpine.LNX.2.00.0911211025090.11248@localhost.localdomain> <> <alpine.LNX.2.00.0911242317130.11124@localhost.localdomain> <> <alpine.LNX.2.00.0911260951580.7596@whitebox> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "" <>, "" <>
Subject: Re: [CGA-EXT] Review draft-ietf-csi-proxy-send-01
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: CGA and SeND Extensions <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 09 Dec 2009 17:01:15 -0000

Hi Roque -

> Julien,
> > Well, actually that's a feature of CGA's, one can show proof-of-ownership by signing with the CGA's private key. I own my CGA because I generated it and the corresponding key pair, and you do not own it and you can't show proof of ownership because you don't have the private key.
> >
> > So I think we want to keep using that term.
> >
> > I can agree that we don't want to talk about a prefix owner, though, but I don't think we're doing that in the document. 
> I understand, but CGA only refers to IIDs not to the complete address (including the prefix). 

CGA generation _and_ proof-of-ownership are tied to the CGA's prefix thus I disagree with your statement above.
> Coming from the addressing world I have to make the distinction. In our world we talk about "right of use" and not ownership. This means, I have the right of USING this CGA because I have possession of the correspondent private key.

A first observation is that the term ownership is used extensively in the CGA related literature.
That being said, you seem to be opposing ownership and right of use in this context when there's no need to. There's quite a difference between the two and not specific to that context. I might well own something and have no right to use it, e.g., a car, a plane, a gun.

So in terms of prefix I agree that you want to use right of use rather than ownership, but in terms of CG-addresses, IMHO we do want to say ownership.

> That is something I made clear in the CERT draft.

But the focus of the CERT draft is on delegating authorization to advertize/use prefixes or addresses that are NOT cryptographically generated, thus there's no ownership involved.

> > The lack of algorithm agility is generic to SEND and not specific to the Secure Proxy ND mechanism. When the WG concludes on how to move forward with algorithm agility, we can publish an RFC updating both RFC3971 and this to be RFC to add algorithm agility. 
> So, we know there is a problem and probably know that SEC ADs are looking at these particular issues, however we would to advance this draft to the IESG hopping that it passes their LC with the promise to solve the issue later on? I only have been in CSI for a couple of months but does not sound proper IETF process to me.
> The agility discussion also included a signaling between the parties in order to select which algorithm to use. What we can do while that discussion is not over in the WG is to make sure that new SEND options have the possibility of identifying which algorithms each party are using, leaving the signaling part for later. This is similar to DNSSEC where in order to change from SHA-1 to SHA-256 probably all signatures will be for a while duplicated in the zone files.

Would inclusion of an algorithm field in the PSO solve your concern?