IETF Logo Mail Archive

Re: [CGA-EXT] proposed csi charter text

Jari Arkko <jari.arkko@piuha.net> Fri, 28 December 2007 11:32 UTC

Return-path: <cga-ext-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1J8DSF-0006NQ-Hs; Fri, 28 Dec 2007 06:32:43 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J8DSD-0006NH-TZ for cga-ext@ietf.org; Fri, 28 Dec 2007 06:32:41 -0500
Received: from p130.piuha.net ([2001:14b8:400::130] helo=smtp.piuha.net) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1J8DSC-00027D-W6 for cga-ext@ietf.org; Fri, 28 Dec 2007 06:32:41 -0500
Received: from smtp.piuha.net (localhost [127.0.0.1]) by smtp.piuha.net (Postfix) with ESMTP id 532B71986D1; Fri, 28 Dec 2007 13:32:40 +0200 (EET)
Received: from [127.0.0.1] (unknown [IPv6:2001:14b8:400::130]) by smtp.piuha.net (Postfix) with ESMTP id 0494319865F; Fri, 28 Dec 2007 13:32:39 +0200 (EET)
Message-ID: <4774DED7.60204@piuha.net>
Date: Fri, 28 Dec 2007 13:32:39 +0200
From: Jari Arkko <jari.arkko@piuha.net>
User-Agent: Thunderbird 1.5.0.14pre (X11/20071022)
MIME-Version: 1.0
To: marcelo bagnulo braun <marcelo@it.uc3m.es>
Subject: Re: [CGA-EXT] proposed csi charter text
References: <72D662E6-AF61-468C-82DD-65564307EF34@it.uc3m.es>
In-Reply-To: <72D662E6-AF61-468C-82DD-65564307EF34@it.uc3m.es>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV using ClamSMTP
X-Spam-Score: -1.4 (-)
X-Scan-Signature: 42e3ed3f10a1d8bef690f09da16f507a
Cc: cga-ext@ietf.org
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
Errors-To: cga-ext-bounces@ietf.org

FWIW, this charter looks fine to me.

I have done one edit, however: I removed the argumentation about ECC. It
is already convincing enough argument that we need more than one
algorithm. No further arguments are needed.

I am now sending the charter to IESG and IAB discussion.

Jari

> Proposed charter for Cga & Send maIntenance (CSI) BOF
>
> The Secure Neighbor Discovery (SEND) protocol defined by RFC 3971
> provides security mechanisms protecting different functions of the
> Neighbor Discovery (ND) protocol defined by RFC 2461.  This includes
> address resolution (discovering link layer address of another node
> attached to the link), router discovery (discovering routers attached
> to the link), and neighbor unreachability detection (detecting that a
> node attached to the link is no longer reachable).  SEND protection of
> address resolution and neighbor unreachability detection functions
> relies on IPv6 address proof-of-ownership and message integrity
> protection provided respectively via Cryptographically Generated
> Addresses (CGAs) and RSA Digital Signatures.
>
> CGAs are defined in RFC 3972, and are extended with a CGA extension
> format defined in RFC 4581, and a support for multiple hash functions
> defined in RFC 4982. While CGAs were originally defined for the SEND
> protocol, they have proved to be a useful security tool in other
> environments too, and its usage has been proposed to secure other
> protocols such as the Shim6 multihoming protocol and the Mobile IPv6
> protocol. While there is very little deployment of SEND to date,
> there are a number of implementations, recommendations in the NIST
> and DOD profiles call for use of SEND, and operating system vendors
> are considering adding SEND to their next releases. As a result, it
> is desirable to review the current state of the SEND and CGA
> specifications, maintain and complement them where necessary. Up to
> date cryptographic algorithms are needed, and the protocols need to be
> able to deal with certain common situations currently not supported.
>
> Specifically, the WG will look at the following issues:
>
> - Develop an informational document analyzing the implications of recent
>   attacks on hash functions used by SeND protocol. Current SeND
>   specification uses the SHA-1 hash algorithm and does not provides
>   support for hash algorithm agility, hence the critical need for
>   understanding the impact of the attacks on the SeND protocol. In
>   addition, if as a result of the aforementioned analysis it is
>   deemed necessary, standard-track extensions to the SeND protocol to
>   support multiple hash algorithms will be defined.
>
> - Specify a standards-track CGA and SeND extensions to support multiple
>   public key algorithms. As currently defined CGA and SeND can only use
>   RSA keys, and they lack support for other public key algorithms
>   (e.g. Elliptic Curve Cryptography -- ECC).
>
> - Definition of X.509 Extended Key Usage for SeND. SeND utilizes X.509v3
>   certificates for performing router authorization.  It uses the X.509
>   extension for IP addresses to verify whether the router is authorized
>   to advertise the mentioned IP addresses.  Since the IP addresses
>   extension does not explicitly mention what functions the node can
>   perform for the IP addresses it becomes impossible to know the reason
>   for which the certificate was allowed.  In order to facilitate issuance
>   of certificates for specific functions, we need to encode the functions
>   permitted for the certificate into the certificate itself.
>
> - Develop X.509 certificate management tools for SeND. SeND utilizes
> X.509v3
>   certificates for performing router authorization.  It uses the X.509
>   extension for IP addresses to verify whether the router is authorized
>   to advertise the mentioned IP addresses.  Since the IP addresses
>   extension does not explicitly mention what functions the node can
>   perform for the IP addresses it becomes impossible to know the reason
>   for which the certificate was allowed.  In order to facilitate issuance
>   of certificates for specific functions, we need to encode the functions
>   permitted for the certificate into the certificate itself. The WG will
>   develop a certificate profile, including a definition of X.509 Extended
>   Key Usage for SeND . In addition, the WG will recommend best
> practices for
>   (1) enrollment, (2) revocation checking, and (3) publishing of
>   certificates. This WG will ensure that the profile and recommended
>   practices will cover usage by hosts in addition to routers.
>
> - Develop a standard track document defining a mechanism to perform
>   SeND certificate provisioning for routers. SeND protocol as defined
>   in RFC3971 specifies how IPv6 nodes can trust the prefixes advertised
>   by a router. The solution is based on the use of the IP Address
>   Delegation extension (RFC3779) in X.509 v3 certificates (RFC3280).
>   This work will provide the tools require to provision with the
>   certificates to the routers in an automatic manner.
>
> - Produce a problem statement document for Neighbor Discovery Proxies
>   and then specify standards-track SEND Extensions to support Neighbor
>   Discovery Proxies:  SEND protocol as currently defined in RFC 3971
>   lacks of support for ND Proxies defined in RFC 3775 and RFC 4389.
>   Extensions to the SEND protocol will be defined in order to provide
>   equivalent SEND security capabilities to ND Proxies.
>
> - Develop an informational document analysing different approaches
>   to allow SeND and CGAs to be used in conjunction with DHCP, and
>   making recommendations on which are the best suited.  Recharter
>   based on the result of the analysis.
>
> - Update base specifications (RFC 3971 and 3972).
>
>
> Goals and Milestones:
>
> Jun 08          WG last-call on analysis of hash related threats in SeND
> Jun 08        WG last-call on Proxy-SeND problem statement
> Dec 08          WG last-call on Proxy SeND
> Dec 08          WG last-call on multiple hash function support in
> SeND, if required
> Set 08          WG last-call on CGA-DHCP interaction
> Set 08          WG last-call on multiple public key algorithm support
> for CGA
> Set 08          WG last-call on multiple public key algorithm support
> for SeND
> Dec 08          WG last-call on certificate profile definition for SeND
> Dec 08          WG last-call on certificate provision mechanism for
> SeND routers
> Dec 08          WG last-call on certificate management best practices
> for SeND routers
> Feb 09          WG last-call on updated SeND specification
> Feb 09          WG last-call on updated CGA specification
>
> Jul 08          Submit draft on analysis of hash related threats in
> SeND to IESG
> Jul 08         Submit draft on Proxy-SeND problem statement to IESG
> Jan 09          Submit draft on Proxy SeND to IESG
> Jan 09          Submit draft on multiple hash function support in SeND
> to IESG, if required
> Oct 08          Submit draft on CGA-DHCP interaction to IESG
> Oct 08          Submit draft on multiple public key algorithm support
> for CGA to IESG
> Oct 08          Submit draft on multiple public key algorithm support
> for SeND to IESG
> Jan 09          Submit draft on EKU definition for SeND to IESG
> Jan 08          Submit draft on certificate provision mechanism for
> SeND routers to IESG
> Jan 08          Submit draft on certificate management best practices
> for SeND routers to IESG
> Mar 09          Submit draft on updated SeND specification to IESG
> Mar 09          Submit draft on updated CGA specification to IESG



_______________________________________________
CGA-EXT mailing list
CGA-EXT@ietf.org
https://www1.ietf.org/mailman/listinfo/cga-ext

v2.23.0 | Report a Bug | By Email