Re: [CGA-EXT] Comments on draft-ietf-csi-proxy-send-01

"Laganier, Julien" <julienl@qualcomm.com> Fri, 20 November 2009 17:33 UTC

Return-Path: <julienl@qualcomm.com>
X-Original-To: cga-ext@core3.amsl.com
Delivered-To: cga-ext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6FFF63A67AA for <cga-ext@core3.amsl.com>; Fri, 20 Nov 2009 09:33:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.274
X-Spam-Level:
X-Spam-Status: No, score=-103.274 tagged_above=-999 required=5 tests=[AWL=-0.675, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SfYnQiRmpZ2j for <cga-ext@core3.amsl.com>; Fri, 20 Nov 2009 09:33:21 -0800 (PST)
Received: from wolverine02.qualcomm.com (wolverine02.qualcomm.com [199.106.114.251]) by core3.amsl.com (Postfix) with ESMTP id 738E53A692B for <cga-ext@ietf.org>; Fri, 20 Nov 2009 09:33:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=qualcomm.com; i=julienl@qualcomm.com; q=dns/txt; s=qcdkim; t=1258738399; x=1290274399; h=from:to:cc:date:subject:thread-topic:thread-index: message-id:references:in-reply-to:accept-language: content-language:x-ms-has-attach:x-ms-tnef-correlator: acceptlanguage:content-type:content-transfer-encoding: mime-version:x-ironport-av; z=From:=20"Laganier,=20Julien"=20<julienl@qualcomm.com> |To:=20Jean-Michel=20Combes=20<jeanmichel.combes@gmail.co m>,=0D=0A=20=20=20=20=20=20=20=20Tony=20Cheneau=0D=0A=09< tony.cheneau@it-sudparis.eu>|CC:=20"draft-ietf-csi-proxy- send@tools.ietf.org"=0D=0A=09<draft-ietf-csi-proxy-send@t ools.ietf.org>,=0D=0A=20=20=20=20=20=20=20=20"cga-ext@iet f.org"=0D=0A=09<cga-ext@ietf.org>|Date:=20Fri,=2020=20Nov =202009=2009:32:48=20-0800|Subject:=20RE:=20[CGA-EXT]=20C omments=20on=20draft-ietf-csi-proxy-send-01|Thread-Topic: =20[CGA-EXT]=20Comments=20on=20draft-ietf-csi-proxy-send- 01|Thread-Index:=20Acpp/UhtyyhfB7bFRTOCEWlJDT3mrQACTqWw |Message-ID:=20<BF345F63074F8040B58C00A186FCA57F1C65FB278 2@NALASEXMB04.na.qualcomm.com>|References:=20<alpine.LNX. 2.00.0911191100150.7833@whitebox>=0D=0A=09=20<BF345F63074 F8040B58C00A186FCA57F1C66087842@NALASEXMB04.na.qualcomm.c om>=0D=0A=09=20<alpine.LNX.2.00.0911201144010.7546@whiteb ox>=0D=0A=20<729b68be0911200819o39a9dd66jf5b888f05d2ab7df @mail.gmail.com>|In-Reply-To:=20<729b68be0911200819o39a9d d66jf5b888f05d2ab7df@mail.gmail.com>|Accept-Language:=20e n-US|Content-Language:=20en-US|X-MS-Has-Attach: |X-MS-TNEF-Correlator:|acceptlanguage:=20en-US |Content-Type:=20text/plain=3B=20charset=3D"iso-8859-1" |Content-Transfer-Encoding:=20quoted-printable |MIME-Version:=201.0|X-IronPort-AV:=20E=3DMcAfee=3Bi=3D"5 300,2777,5808"=3B=20a=3D"28066645"; bh=VH++9zhGUs+Q0ZS8iNGZj7nsvnqXmaINaHFO1NGrjjE=; b=JPLLzzkxVT+6dZTHdNy9xL7cf/EZiK5P+qHn9QsAZIUdFGIHS0lBUf5X MHJgdp7u6tcRYJvvlh5RNpvdNlDH96dbQnGUR7ffwJhF8xtgUJeBT1ZD5 BRr+R7xRGF1syl2XZDaSPyupT1cRgfLin+TTbhaKnF42N823xheKTcmlv c=;
X-IronPort-AV: E=McAfee;i="5300,2777,5808"; a="28066645"
Received: from pdmz-ns-mip.qualcomm.com (HELO ithilien.qualcomm.com) ([199.106.114.10]) by wolverine02.qualcomm.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 20 Nov 2009 09:32:53 -0800
Received: from msgtransport03.qualcomm.com (msgtransport03.qualcomm.com [129.46.61.154]) by ithilien.qualcomm.com (8.14.2/8.14.2/1.0) with ESMTP id nAKHWqgo011498 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Fri, 20 Nov 2009 09:32:52 -0800
Received: from nasanexhub05.na.qualcomm.com (nasanexhub05.na.qualcomm.com [129.46.134.219]) by msgtransport03.qualcomm.com (8.14.2/8.14.2/1.0) with ESMTP id nAKHWpYO031368 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Fri, 20 Nov 2009 09:32:52 -0800
Received: from nalasexhc01.na.qualcomm.com (10.47.129.185) by nasanexhub05.na.qualcomm.com (129.46.134.219) with Microsoft SMTP Server (TLS) id 8.2.176.0; Fri, 20 Nov 2009 09:32:50 -0800
Received: from NALASEXMB04.na.qualcomm.com ([10.47.7.118]) by nalasexhc01.na.qualcomm.com ([10.47.129.185]) with mapi; Fri, 20 Nov 2009 09:32:50 -0800
From: "Laganier, Julien" <julienl@qualcomm.com>
To: Jean-Michel Combes <jeanmichel.combes@gmail.com>, Tony Cheneau <tony.cheneau@it-sudparis.eu>
Date: Fri, 20 Nov 2009 09:32:48 -0800
Thread-Topic: [CGA-EXT] Comments on draft-ietf-csi-proxy-send-01
Thread-Index: Acpp/UhtyyhfB7bFRTOCEWlJDT3mrQACTqWw
Message-ID: <BF345F63074F8040B58C00A186FCA57F1C65FB2782@NALASEXMB04.na.qualcomm.com>
References: <alpine.LNX.2.00.0911191100150.7833@whitebox> <BF345F63074F8040B58C00A186FCA57F1C66087842@NALASEXMB04.na.qualcomm.com> <alpine.LNX.2.00.0911201144010.7546@whitebox> <729b68be0911200819o39a9dd66jf5b888f05d2ab7df@mail.gmail.com>
In-Reply-To: <729b68be0911200819o39a9dd66jf5b888f05d2ab7df@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "draft-ietf-csi-proxy-send@tools.ietf.org" <draft-ietf-csi-proxy-send@tools.ietf.org>, "cga-ext@ietf.org" <cga-ext@ietf.org>
Subject: Re: [CGA-EXT] Comments on draft-ietf-csi-proxy-send-01
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Nov 2009 17:33:22 -0000

Hi Jean-Michel,
 
> > Another question that comes to my mind just now, and that may need
> > clarification in your document is:
> > Is your solution able to provide Secure Proxy ND for the fe80::/64
> > prefix ? I mean, a router does not announce this prefix as it not a
> > routable one. Then, there will be no CPS/CPA exchange for this prefix,
> > meaning no certificate exchange.  What is the processing of a host
> > receiving a ND message toward a fe80::/64 address signed with a Proxy
> > Signature Option ?  How can he learn the certificate of the Secure
> > Proxy ND ? This should be addressed as it is a use case of RFC 4389 (I
> > think).
> 
> IMHO, securing ND Proxy for fe80::/64 case is out of scope.

It is in scope and required for RFC 4389 as Tony pointed out, e.g., link-local addresses will be used by routers and will be present in RAs sent by routers, or in NS/NA when a node attempts address resolution for a router's link local. These packets need to be proxied. However the fe80::/64 prefix needs not to be present in the authorization certificates. The draft should simply specify (although it currently does not) that a proxy ND is always authorized to proxy addresses in the fe80::/64 prefix. That has to be fixed in the next revision of the draft.

--julien