Re: [CGA-EXT] WGLC for draft-ietf-csi-dhcpv6-cga-ps-01.txt
Alberto García <alberto@it.uc3m.es> Tue, 20 April 2010 10:31 UTC
Return-Path: <alberto@it.uc3m.es>
X-Original-To: cga-ext@core3.amsl.com
Delivered-To: cga-ext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4AEF628C1C4 for <cga-ext@core3.amsl.com>; Tue, 20 Apr 2010 03:31:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.162
X-Spam-Level:
X-Spam-Status: No, score=-4.162 tagged_above=-999 required=5 tests=[AWL=-0.278, BAYES_40=-0.185, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NbsEht0NWmly for <cga-ext@core3.amsl.com>; Tue, 20 Apr 2010 03:31:20 -0700 (PDT)
Received: from smtp03.uc3m.es (smtp03.uc3m.es [163.117.176.133]) by core3.amsl.com (Postfix) with ESMTP id E9E043A6C06 for <cga-ext@ietf.org>; Tue, 20 Apr 2010 03:25:20 -0700 (PDT)
X-uc3m-safe: yes
Received: from bombo (bombo.it.uc3m.es [163.117.139.125]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by smtp03.uc3m.es (Postfix) with ESMTP id CBBA97331A3; Tue, 20 Apr 2010 12:25:07 +0200 (CEST)
From: Alberto García <alberto@it.uc3m.es>
To: 'marcelo bagnulo braun' <marcelo@it.uc3m.es>, cga-ext@ietf.org
References: <4BCD647B.1050600@it.uc3m.es>
Date: Tue, 20 Apr 2010 12:25:08 +0200
Message-ID: <1976F3118BF0443481221A22A5EAEF92@bombo>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-15"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
Thread-Index: AcrgYt1v+tjTTbW5Q869JgngZxmrywAB8x6w
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
In-Reply-To: <4BCD647B.1050600@it.uc3m.es>
X-TM-AS-Product-Ver: IMSS-7.0.0.3116-6.0.0.1038-17162.002
Cc: draft-ietf-csi-dhcpv6-cga-ps@tools.ietf.org
Subject: Re: [CGA-EXT] WGLC for draft-ietf-csi-dhcpv6-cga-ps-01.txt
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Apr 2010 10:31:21 -0000
Hi, Some comments: In section 4 (What CGA can do for DHCPv6), it would help to describe the scenario in which CGAs can be used, i.e. indicating which of the elements use CGA, and in which part of the DHCP configuration process can be beneficial the use of CGA. Even though the draft is not devoted to solutions, at least it should be shown a scenario in which a possible solution could be developed. In fact, I do not clearly see why using CGA is an advantage in this scenario: CGA are good to state that a node has the authorization to use a given address, but it is not clear to me that it is to say that a node has the authorization to act as something (a DHCP server, a relay). For this, some configuration is required to bind the 'authorization' to the CGA address. How is this done? You then say a possible way of achieving this "The minimum level of pre-configuration is to configure public keys on both parties of communication or have a third party authority available for users to retrieve public keys." Well, the nice thing of CGA is that you don't need to know in advance keys, but addresses (and the addresses can be securely bound to keys dynamically, by means of conveying the CGA parameter data structure, which is verified to see that the binding is correct). I think the configuration should be just the CGA address. But then, if you need configuration, which is the benefit over IPsec? AFAIU IPsec has a number of benefits on its own: it is the current standard for use in DCHP exchange, it allows negotiation of security parameters so it is more secure than CGAs... The nice thing of CGAs is that in general you use them without configuring anything or just by using them as addresses (you just configure the DNS, and that's all). May be I'm not understanding properly this part. Can you be more specific? In addition, as a problem statement document, it should be more exhaustive in detailing all the problems which can be addressed by CGAs (even though there is no detail on the solution). --- In the second paragraph of the introduction you say: "By using the associated public & private keys as described by SEcure Neighbor Discovery (SEND) [RFC3971], CGAs can protect the Neighbor Discovery Protocol (NDP) [RFC4861], i.e. they can provide address validation and integrity protection for NDP messages." Although this is true, of course, I don't see the point in just considering here0020one protocol which use CGAs. The draft is about configuring CGAs, and this CGAs can be used for any purpose (SEND, SHIM6, any other). Here it seems there is a specific dependency on SEND, which I think is not the case. I would replace with: "CGAs are used in protocols such as SEND [RFC3971] or SHIM6 [RFC5533]." or something similar. ---- Regards, Alberto | -----Mensaje original----- | De: cga-ext-bounces@ietf.org [mailto:cga-ext-bounces@ietf.org] En nombre de | marcelo bagnulo braun | Enviado el: martes, 20 de abril de 2010 10:23 | Para: cga-ext@ietf.org | CC: draft-ietf-csi-dhcpv6-cga-ps@tools.ietf.org | Asunto: [CGA-EXT] WGLC for draft-ietf-csi-dhcpv6-cga-ps-01.txt | | Hi, | | This note issues the WGLC for draft-ietf-csi-dhcpv6-cga-ps-01.txt | Please, review the document and send your comments before april the 10th. | | For your convenience, you can find the document at | http://datatracker.ietf.org/doc/draft-ietf-csi-dhcpv6-cga-ps/ | | Regards, marcelo | | _______________________________________________ | CGA-EXT mailing list | CGA-EXT@ietf.org | https://www.ietf.org/mailman/listinfo/cga-ext
- Re: [CGA-EXT] WGLC for draft-ietf-csi-dhcpv6-cga-… marcelo bagnulo braun
- [CGA-EXT] WGLC for draft-ietf-csi-dhcpv6-cga-ps-0… marcelo bagnulo braun
- Re: [CGA-EXT] WGLC for draft-ietf-csi-dhcpv6-cga-… marcelo bagnulo braun
- Re: [CGA-EXT] WGLC for draft-ietf-csi-dhcpv6-cga-… Alberto García
- Re: [CGA-EXT] WGLC for draft-ietf-csi-dhcpv6-cga-… Sheng Jiang