[CGA-EXT] Re: Charter and scope
marcelo bagnulo braun <marcelo@it.uc3m.es> Wed, 24 October 2007 13:57 UTC
Return-path: <cga-ext-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IkgkA-0006vc-Kn; Wed, 24 Oct 2007 09:57:58 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Ikgk8-0006uY-HZ for cga-ext@ietf.org; Wed, 24 Oct 2007 09:57:56 -0400
Received: from smtp03.uc3m.es ([163.117.176.133] helo=smtp.uc3m.es) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Ikgk2-00073a-J1 for cga-ext@ietf.org; Wed, 24 Oct 2007 09:57:56 -0400
Received: from [163.117.139.63] (chelo-it-uc3m-es.it.uc3m.es [163.117.139.63])(using TLSv1 with cipher AES128-SHA (128/128 bits))(No client certificate requested)by smtp.uc3m.es (Postfix) with ESMTP id 8F19013990C;Wed, 24 Oct 2007 15:57:44 +0200 (CEST)
In-Reply-To: <471F34BA.70301@piuha.net>
References: <043101c8159a$78f81410$576115ac@dcml.docomolabsusa.com> <471F18DD.8050009@piuha.net> <F7ADC7F5-29BB-4D2D-B589-D354C4288401@it.uc3m.es> <471F34BA.70301@piuha.net>
Mime-Version: 1.0 (Apple Message framework v752.3)
Content-Type: text/plain; charset="ISO-8859-1"; delsp="yes"; format="flowed"
Message-Id: <89942083-3A48-450A-AD51-11E79363DCBE@it.uc3m.es>
Content-Transfer-Encoding: quoted-printable
From: marcelo bagnulo braun <marcelo@it.uc3m.es>
Date: Wed, 24 Oct 2007 15:57:55 +0200
To: Jari Arkko <jari.arkko@piuha.net>
X-Mailer: Apple Mail (2.752.3)
X-imss-version: 2.049
X-imss-result: Passed
X-imss-scanInfo: M:B L:E SM:2
X-imss-tmaseResult: TT:1 TS:-15.8628 TC:1F TRN:93 TV:5.0.1023(15502.003)
X-imss-scores: Clean:100.00000 C:0 M:0 S:0 R:0
X-imss-settings: Baseline:1 C:1 M:1 S:1 R:1 (0.0000 0.0000)
X-Spam-Score: -1.9 (-)
X-Scan-Signature: 0cff8c3ec906d056784362c06f5f88c1
Cc: cga-ext@ietf.org
Subject: [CGA-EXT] Re: Charter and scope
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
Errors-To: cga-ext-bounces@ietf.org
El 24/10/2007, a las 14:04, Jari Arkko escribió: > >> - do you think that the mib definition for SeND and CGAs are out of >> the scope? This seems to be not related to the usge of CGAs as a >> generic security tool... > > That's right. I only took it out to reduce the number of work items to > those that seemed highest priority. But this is certainly something > that > we should talk about. ok, i think we should do that, and i guess this shouldn't be too difficult actually, i was reviewing rfc 3971 and it is written in such a way that would this work be quite straight forward imho... i mean, the "configuration" sections on each mayor part of the protocol basically defines the data strucutures that need to be managed, so this would simplify the task of defining the mib i think > >> - i think we should also include an item that perform the rescorla >> bellovin analysis on the SeND spec (rfc3971) and to evaluate its >> dependency on SHA1 algorithm and eventually update rfc3971 to support >> multiple hash functions > > Didn't we do this already? > we have done that for rfc3972 but not for rfc3971 i have been reviewing rfc3971 and there is some encoding of the sha1 algorithm in there and it may worthwhile to do the rescorla bellovin analysis for that spec and see if it is needed to provide hash function agility >> - in addition, we should also extend SeND spec (rfc3971) to support >> multiple public key algorithms, so send can use the other public key >> algorithms that are defind in the CGA update item... >> do you think it would make sense to include these additional items? > > Yes, definitely. I may have forgotten that one out of the revision I > made. If so, apologies. That should definitely be there. > Actually this was my mistake (i forgot to include it in the charter proposal :-( Regards, marcelo > Jari >> >> regards, marcelo >> >> El 24/10/2007, a las 12:05, Jari Arkko escribió: >> >>> There's a bit of pushback from the security experts in >>> IESG and IAB to expand the scope of CGAs to generic >>> security mechanisms such as IKE. This pushback relates >>> to the question of key sizes as well as whether INT would >>> be the right place for such work. I tend to agree with this. >>> >>> In addition, taking another look at the charter now it seems >>> that it has a fair bit material in it. It might be better to focus >>> the work on improving the use of SEND/CGA for IP layer purposes. >>> This by itself is already a big effort. >>> >>> With that in mind, would the following reduced charter be >>> acceptable: >>> >>> Proposed charter for Cga & Send maIntenance (CSI) BOF >>> >>> The Secure Neighbor Discovery (SEND) protocol defined by RFC 3971 >>> provides security mechanisms protecting different functions of the >>> Neighbor Discovery (ND) protocol defined by RFC 2461. This includes >>> address resolution (discovering link layer address of another node >>> attached to the link), router discovery (discovering routers >>> attached >>> to the link), and neighbor unreachability detection (detecting >>> that a >>> node attached to the link is no longer reachable). SEND >>> protection of >>> address resolution and neighbor unreachability detection functions >>> relies on IPv6 address proof-of-ownership and message integrity >>> protection provided respectively via Cryptographically Generated >>> Addresses (CGAs) and RSA Digital Signatures. >>> >>> CGAs are defined in RFC 3972, and are extended with a CGA extension >>> format defined in RFC 4581, and a support for multiple hash >>> functions >>> defined in the to-be-RFC draft-bagnulo-multiple-hash-cga-03.txt. >>> While CGAs were originally defined for the SEND protocol, they have >>> proved to be a useful security tool in other environments too, >>> and its >>> usage has been proposed to secure other protocols such as the Shim6 >>> multihoming protocol and the Mobile IPv6 protocol. While there is >>> very little deployment of SEND to date, there are a number of >>> implementations, recommendations in the NIST and DOD profiles call >>> for use of SEND, and operating system vendors are considering >>> adding SEND to their next releases. As a result, it is desirable >>> to review the current state of the SEND and CGA specifications, >>> maintain and complement them where necessary. Up to date >>> cryptographic algorithms are needed, and the protocols need to be >>> able to deal with certain common situations currently not supported. >>> >>> Specifically, the WG will look at the following issues: >>> >>> - Specify standards-track SEND Extensions to support Neighbor >>> Discovery Proxies: SEND protocol as currently defined in RFC 3971 >>> lacks of support for ND Proxies defined in RFC 3775 and RFC 4389. >>> Extensions to the SEND protocol will be defined in order to >>> provide >>> equivalent SEND security capabilities to ND Proxies. >>> >>> - Develop an informational document analysing different >>> approaches to >>> the use of the DHCP protocol to assign CGAs, and making >>> recommandations on which are the best suited. The analysis >>> will be >>> provided as an input to the DHC working group where the actual >>> DHCP >>> extensions required to implemented the recommended approaches will >>> be defined. >>> >>> - Specify a standards-track CGA extension to support multiple public >>> key algorithms. As currently defined CGAs can only use RSA keys in >>> the CGA Parameter Data Structure, and thus cannot be generated >>> using >>> other public key algorithms (e.g. Elliptic Curve Cryptography -- >>> ECC). The main motivation for this work is that RSA keys are not >>> well suited for environments with resource restrictions (CPU, >>> storage, >>> power) such as the ones considered by the 6lowpan working >>> group. ECC >>> is much well suited for such environments and the lack of support >>> of ECC >>> in CGAs and SeND is a deployment blocker in these environments. >>> >>> - Definition of X.509 Extended Key Usage for SeND. SeND utilizes >>> X.509v3 >>> certificates for performing router authorization. It uses the >>> X.509 >>> extension for IP addresses to verify whether the router is >>> authorized >>> to advertise the mentioned IP addresses. Since the IP addresses >>> extension does not explicitly mention what functions the node can >>> perform for the IP addresses it becomes impossible to know the >>> reason >>> for which the certificate was allowed. In order to facilitate >>> issuance >>> of certificates for specific functions, we need to encode the >>> functions >>> permitted for the certificate into the certificate itself. >>> >>> - Update base specifications (RFC 3971 and 3972), if needed. >>> >>> Related drafts: >>> >>> draft-kempf-cgaext-ringsig-ndproxy-00.txt >>> draft-laganier-ike-ipv6-cga-02.txt >>> draft-jiang-sendcgaext-cga-config-00.txt >>> >>> >> >> >> > _______________________________________________ CGA-EXT mailing list CGA-EXT@ietf.org https://www1.ietf.org/mailman/listinfo/cga-ext
- [CGA-EXT] BOF Date? James Kempf
- Re: [CGA-EXT] BOF Date? MARCELO BAGNULO BRAUN
- Re: [CGA-EXT] BOF Date? Jari Arkko
- [CGA-EXT] Charter and scope Jari Arkko
- [CGA-EXT] Re: Charter and scope marcelo bagnulo braun
- [CGA-EXT] Re: Charter and scope Jari Arkko
- [CGA-EXT] Re: Charter and scope marcelo bagnulo braun