Re: [CGA-EXT] comments on draft-jiang-csi-dhcpv6-cga-ps-03.txt
Sheng Jiang <shengjiang@huawei.com> Tue, 22 September 2009 07:21 UTC
Return-Path: <shengjiang@huawei.com>
X-Original-To: cga-ext@core3.amsl.com
Delivered-To: cga-ext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 361FF3A6930 for <cga-ext@core3.amsl.com>; Tue, 22 Sep 2009 00:21:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.356
X-Spam-Level:
X-Spam-Status: No, score=-0.356 tagged_above=-999 required=5 tests=[AWL=0.139, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hpb59rXv5J0X for <cga-ext@core3.amsl.com>; Tue, 22 Sep 2009 00:21:28 -0700 (PDT)
Received: from szxga04-in.huawei.com (unknown [119.145.14.67]) by core3.amsl.com (Postfix) with ESMTP id 47F7A3A682E for <cga-ext@ietf.org>; Tue, 22 Sep 2009 00:21:28 -0700 (PDT)
Received: from huawei.com (szxga04-in [172.24.2.12]) by szxga04-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0KQD007QV359DP@szxga04-in.huawei.com> for cga-ext@ietf.org; Tue, 22 Sep 2009 15:22:21 +0800 (CST)
Received: from huawei.com ([172.24.1.24]) by szxga04-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0KQD0050P358CI@szxga04-in.huawei.com> for cga-ext@ietf.org; Tue, 22 Sep 2009 15:22:20 +0800 (CST)
Received: from j66104a ([10.111.12.58]) by szxml04-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTPA id <0KQD00M16358CW@szxml04-in.huawei.com> for cga-ext@ietf.org; Tue, 22 Sep 2009 15:22:20 +0800 (CST)
Date: Tue, 22 Sep 2009 15:22:20 +0800
From: Sheng Jiang <shengjiang@huawei.com>
In-reply-to: <4AB723A1.5020107@it.uc3m.es>
To: 'marcelo bagnulo braun' <marcelo@it.uc3m.es>, cga-ext@ietf.org
Message-id: <004901ca3b55$6c48a6c0$3a0c6f0a@china.huawei.com>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
X-Mailer: Microsoft Office Outlook 11
Content-type: text/plain; charset="us-ascii"
Content-transfer-encoding: 7bit
Thread-index: Aco6iLA5wcTUyS24TM6Twiz+29Hx3gAyEgQg
Subject: Re: [CGA-EXT] comments on draft-jiang-csi-dhcpv6-cga-ps-03.txt
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Sep 2009 07:21:29 -0000
See the reply in the lines. Many thanks for your comments. Cheers, Sheng > In section 3. What DHCPv6 can do for CGA it reads: > > Generating a key pair, which will be used to generate a CGA, also > requires a notable computation. Generation and > distribution of a key > pair can also be done by DHCPv6 server. Of course, when designing > these new functions, one should carefully consider the impact on > security. However, the security considerations of > specific solutions > are out of scope of this document. > > > While i agree that the security aspects of a specific > solution are out of scope, i am not sure we can completelly > dump the issue. I mean, in order for the DHCP server to > convey the SEC information, the ecurity is critical. Is it > really feasible to provide enough security, without breaking > the dhcp model? I think further analysis on this is needed. We agree fully. We were not sure whether we should have deep security analysis in this PS draft. We thought this analysis was more suitable in the specific solution document. Section 6 of http://tools.ietf.org/html/draft-jiang-csi-cga-config-dhcpv6-00 is the analysis. If suitable, we can abstract some text here. > Then, in 4. What CGA can do for DHCPv6, it is described that > CGa can be used to secure dhcp. Now, i think a bit more > analysis of what features would be provided if we do this > i.e. what types of attacks are prevented, it would be useful > AFAICT, this would much like an ssh type f security (i.e. > also called oportunistic or leap of faith security) I think > this is worht the trouble, But i think needs to be more > clearly stated. We did it on purpose to keep PS document highly abstract and leave the detailed analysis in the specific solution document. Section 3 of http://tools.ietf.org/html/draft-jiang-dhc-secure-dhcpv6-02 uses one and half pages to analysis what security improvement CGA can bring to DHCPv6. If the CSI chair think it is suitable, of course, we can input some abstacted text here. > So, if we cover these two topics, i think the document does a > fairly good job analysis the different apsects. Now, i think > it would be interesting also to discuss (even though maybe > not include in the document at this point) what parts of this > interaction we would like to work on if any. Like above-mentioned, we already worked on some possible works mentioned in PS draft. Above two drafts cover these primary works from us. They are not included in the current CSI milestones though they are suitable for CSI charter notionally. I guess CSI WG can discuss these works and may include them in the future CSI milestones. Best regards, Sheng > _______________________________________________ > CGA-EXT mailing list > CGA-EXT@ietf.org > https://www.ietf.org/mailman/listinfo/cga-ext
- [CGA-EXT] comments on draft-jiang-csi-dhcpv6-cga-… marcelo bagnulo braun
- Re: [CGA-EXT] comments on draft-jiang-csi-dhcpv6-… Sheng Jiang