Re: [CGA-EXT] Comments on draft-jiang-dhc-secure-dhcpv6-02
Sheng Jiang <shengjiang@huawei.com> Fri, 25 September 2009 01:09 UTC
Return-Path: <shengjiang@huawei.com>
X-Original-To: cga-ext@core3.amsl.com
Delivered-To: cga-ext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9F0B53A67BD; Thu, 24 Sep 2009 18:09:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.293
X-Spam-Level:
X-Spam-Status: No, score=-0.293 tagged_above=-999 required=5 tests=[AWL=0.202, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BXWYyTmbW2VH; Thu, 24 Sep 2009 18:09:19 -0700 (PDT)
Received: from szxga02-in.huawei.com (unknown [119.145.14.65]) by core3.amsl.com (Postfix) with ESMTP id 823853A69BA; Thu, 24 Sep 2009 18:09:10 -0700 (PDT)
Received: from huawei.com (szxga02-in [172.24.2.6]) by szxga02-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0KQI009BR5WXSX@szxga02-in.huawei.com>; Fri, 25 Sep 2009 09:10:10 +0800 (CST)
Received: from huawei.com ([172.24.1.24]) by szxga02-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0KQI00I7X5WXZT@szxga02-in.huawei.com>; Fri, 25 Sep 2009 09:10:09 +0800 (CST)
Received: from j66104a ([10.111.12.58]) by szxml04-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTPA id <0KQI00D2Q5WUUG@szxml04-in.huawei.com>; Fri, 25 Sep 2009 09:10:09 +0800 (CST)
Date: Fri, 25 Sep 2009 09:10:06 +0800
From: Sheng Jiang <shengjiang@huawei.com>
In-reply-to: <alpine.LNX.2.00.0909241639070.13009@whitebox>
To: 'Tony Cheneau' <tony.cheneau@it-sudparis.eu>, 'Sean Shen' <shenshuo@cnnic.cn>
Message-id: <000d01ca3d7c$ec235ce0$3a0c6f0a@china.huawei.com>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
X-Mailer: Microsoft Office Outlook 11
Content-type: text/plain; charset="us-ascii"
Content-transfer-encoding: 7bit
Thread-index: Aco9J0Jer7dHfahtRhOdKYXZDxVxQwAURIIg
Cc: dhcwg@ietf.org, cga-ext@ietf.org
Subject: Re: [CGA-EXT] Comments on draft-jiang-dhc-secure-dhcpv6-02
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Sep 2009 01:09:20 -0000
Tony, Thanks so much for your comments. They are helpful. See my detailed reply in the lines. Cheers, Sheng > -----Original Message----- > From: Tony Cheneau [mailto:tony.cheneau@it-sudparis.eu] > Sent: Thursday, September 24, 2009 10:57 PM > To: shengjiang@huawei.com; Sean Shen > Cc: cga-ext@ietf.org; dhcwg@ietf.org > Subject: Comments on draft-jiang-dhc-secure-dhcpv6-02 > > Hello, > > I read draft-jiang-dhc-secure-dhcpv6-02 and I have the > following comments: > - you should remain consistent and always use the term CGA Parameters > (sometimes, the 's' is lacking). Ok, this will be fixed in the next version. > - section 6.3, "The CGA of a client will not lose during > relaying." needs to > be corrected (does not make much sense). I guess we need to add some context here. This is a comparison sentence with "The CGA of a server will lose during relaying". > - in the same section, maybe due to a lack of knowledge in the DHCPv6 > protocol, I fail to understand how the Relay Agent will > prove the DHCP > Client's address ownership to the DHCP server and how the > Relay Agent will > prove the DHCP server authorization to the DHCP Client. > Can you enlighten me > on this point ? Relay agent does not involve in the authentication between DHCP server and client. The authentication is end-to-end. It is transparent to relay agent. We just make sure that relaying process does not throw away the information of authentication. > - the document is rather fuzzy on how you deploy certificates > on DHCP routers > to perform the ADD. If you plan to reuse the certificate > deployed on SEND > routers, it would be wise to provide an "extended key > usage" value for the > authorization to act as a DHCP server (there is already > value for proxying > functionalities and such defined draft-ietf-csi-send-cert). > > - also, the text is not clear on the fact that DHCP Server MUST use > certificate to prove its authority. I think the text > should be clarified on that point. We left the certificate deployment out of the scope on purpose. This document built up on the assumption that all the network hosts have already deployed the certificates they need. The discussion of certificate deployment is a complicated topic. There are many documents on that. I guess, we can add some references in the future version. Best regards, Sheng > Best regards, > Tony Cheneau
- [CGA-EXT] Comments on draft-jiang-dhc-secure-dhcp… Tony Cheneau
- Re: [CGA-EXT] Comments on draft-jiang-dhc-secure-… Sheng Jiang