Re: [CGA-EXT] WGLC for draft-ietf-csi-dhcpv6-cga-ps-01.txt

Alberto García <alberto@it.uc3m.es> Tue, 20 April 2010 10:31 UTC

Return-Path: <alberto@it.uc3m.es>
X-Original-To: cga-ext@core3.amsl.com
Delivered-To: cga-ext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4AEF628C1C4 for <cga-ext@core3.amsl.com>; Tue, 20 Apr 2010 03:31:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.162
X-Spam-Level:
X-Spam-Status: No, score=-4.162 tagged_above=-999 required=5 tests=[AWL=-0.278, BAYES_40=-0.185, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NbsEht0NWmly for <cga-ext@core3.amsl.com>; Tue, 20 Apr 2010 03:31:20 -0700 (PDT)
Received: from smtp03.uc3m.es (smtp03.uc3m.es [163.117.176.133]) by core3.amsl.com (Postfix) with ESMTP id E9E043A6C06 for <cga-ext@ietf.org>; Tue, 20 Apr 2010 03:25:20 -0700 (PDT)
X-uc3m-safe: yes
Received: from bombo (bombo.it.uc3m.es [163.117.139.125]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by smtp03.uc3m.es (Postfix) with ESMTP id CBBA97331A3; Tue, 20 Apr 2010 12:25:07 +0200 (CEST)
From: =?ISO-8859-15?Q?Alberto_Garc=EDa?= <alberto@it.uc3m.es>
To: "'marcelo bagnulo braun'" <marcelo@it.uc3m.es>, <cga-ext@ietf.org>
References: <4BCD647B.1050600@it.uc3m.es>
Date: Tue, 20 Apr 2010 12:25:08 +0200
Message-ID: <1976F3118BF0443481221A22A5EAEF92@bombo>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-15"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
Thread-Index: AcrgYt1v+tjTTbW5Q869JgngZxmrywAB8x6w
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
In-Reply-To: <4BCD647B.1050600@it.uc3m.es>
X-TM-AS-Product-Ver: IMSS-7.0.0.3116-6.0.0.1038-17162.002
Cc: draft-ietf-csi-dhcpv6-cga-ps@tools.ietf.org
Subject: Re: [CGA-EXT] WGLC for draft-ietf-csi-dhcpv6-cga-ps-01.txt
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Apr 2010 10:31:21 -0000

Hi,
Some comments:

In section 4 (What CGA can do for DHCPv6), it would help to describe the
scenario in which CGAs can be used, i.e. indicating which of the elements
use CGA, and in which part of the DHCP configuration process can be
beneficial the use of CGA. Even though the draft is not devoted to
solutions, at least it should be shown a scenario in which a possible
solution could be developed.

In fact, I do not clearly see why using CGA is an advantage in this
scenario: CGA are good to state that a node has the authorization to use a
given address, but it is not clear to me that it is to say that a node has
the authorization to act as something (a DHCP server, a relay). For this,
some configuration is required to bind the 'authorization' to the CGA
address. How is this done?
You then say a possible way of achieving this

"The minimum level of pre-configuration is to 
   configure public keys on both parties of communication or have a 
   third party authority available for users to retrieve public keys."

Well, the nice thing of CGA is that you don't need to know in advance keys,
but addresses (and the addresses can be securely bound to keys dynamically,
by means of conveying the CGA parameter data structure, which is verified to
see that the binding is correct). 

I think the configuration should be just the CGA address. But then, if you
need configuration, which is the benefit over IPsec? 
AFAIU IPsec has a number of benefits on its own: it is the current standard
for use in DCHP exchange, it allows negotiation of security parameters so it
is more secure than CGAs... The nice thing of CGAs is that in general you
use them without configuring anything or just by using them as addresses
(you just configure the DNS, and that's all).

May be I'm not understanding properly this part. Can you be more specific?
In addition, as a problem statement document, it should be more exhaustive
in detailing all the problems which can be addressed by CGAs (even though
there is no detail on the solution). 

---
In the second paragraph of the introduction you say:

"By using the associated public & private keys 
   as described by SEcure Neighbor Discovery (SEND) [RFC3971], CGAs can 
   protect the Neighbor Discovery Protocol (NDP) [RFC4861], i.e. they 
   can provide address validation and integrity protection for NDP 
   messages."

Although this is true, of course, I don't see the point in just considering
here0020one protocol which use CGAs. The draft is about configuring CGAs,
and this CGAs can be used for any purpose (SEND, SHIM6, any other). Here it
seems there is a specific dependency on SEND, which I think is not the case.
I would replace with: 
"CGAs are used in protocols such as SEND [RFC3971] or SHIM6 [RFC5533]."  or
something similar.

----

Regards,
Alberto

|  -----Mensaje original-----
|  De: cga-ext-bounces@ietf.org [mailto:cga-ext-bounces@ietf.org] En nombre
de
|  marcelo bagnulo braun
|  Enviado el: martes, 20 de abril de 2010 10:23
|  Para: cga-ext@ietf.org
|  CC: draft-ietf-csi-dhcpv6-cga-ps@tools.ietf.org
|  Asunto: [CGA-EXT] WGLC for draft-ietf-csi-dhcpv6-cga-ps-01.txt
|  
|  Hi,
|  
|  This note issues the WGLC for draft-ietf-csi-dhcpv6-cga-ps-01.txt
|  Please, review the document and send your comments before april the 10th.
|  
|  For your convenience, you can find the document at
|  http://datatracker.ietf.org/doc/draft-ietf-csi-dhcpv6-cga-ps/
|  
|  Regards, marcelo
|  
|  _______________________________________________
|  CGA-EXT mailing list
|  CGA-EXT@ietf.org
|  https://www.ietf.org/mailman/listinfo/cga-ext