Re: [CGA-EXT] WGLC for draft-ietf-csi-dhcpv6-cga-ps-01.txt
marcelo bagnulo braun <marcelo@it.uc3m.es> Thu, 22 April 2010 06:02 UTC
Return-Path: <marcelo@it.uc3m.es>
X-Original-To: cga-ext@core3.amsl.com
Delivered-To: cga-ext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2F2B63A6B2A for <cga-ext@core3.amsl.com>; Wed, 21 Apr 2010 23:02:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.212
X-Spam-Level:
X-Spam-Status: No, score=-105.212 tagged_above=-999 required=5 tests=[AWL=-1.213, BAYES_50=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kqBFSi+-+ePd for <cga-ext@core3.amsl.com>; Wed, 21 Apr 2010 23:02:46 -0700 (PDT)
Received: from smtp03.uc3m.es (smtp03.uc3m.es [163.117.176.133]) by core3.amsl.com (Postfix) with ESMTP id 8D0153A6B85 for <cga-ext@ietf.org>; Wed, 21 Apr 2010 22:58:29 -0700 (PDT)
X-uc3m-safe: yes
Received: from marcelo-bagnulos-macbook-pro.local (107.31.18.95.dynamic.jazztel.es [95.18.31.107]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp03.uc3m.es (Postfix) with ESMTP id 8525A7F732E; Thu, 22 Apr 2010 07:58:17 +0200 (CEST)
Message-ID: <4BCFE579.1010204@it.uc3m.es>
Date: Thu, 22 Apr 2010 07:58:17 +0200
From: marcelo bagnulo braun <marcelo@it.uc3m.es>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; es-ES; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: Sheng Jiang <shengjiang@huawei.com>
References: <001d01cae0fd$af56f5e0$730c6f0a@china.huawei.com>
In-Reply-To: <001d01cae0fd$af56f5e0$730c6f0a@china.huawei.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
X-TM-AS-Product-Ver: IMSS-7.0.0.3116-6.0.0.1038-17162.002
Cc: draft-ietf-csi-dhcpv6-cga-ps@tools.ietf.org, cga-ext@ietf.org
Subject: Re: [CGA-EXT] WGLC for draft-ietf-csi-dhcpv6-cga-ps-01.txt
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Apr 2010 06:02:47 -0000
In order to expedite the work on this draft and since the comments received seem to be more than editorial, i would suggest that the authors do send a proposed text to the mailing list for discussion as soon as possible (rather than waiting for the WGLC to end and submit a new version of the draft) Regards, marcelo El 21/04/10 4:52, Sheng Jiang escribió: > Dear Alberto, > > Thanks for your comments. Most of them will be addressed in an update > version after WGLC among with other comments we may received. Detailed > replies in lines. > > Best regards, > > Sheng > > >> -----Original Message----- >> From: Alberto García [mailto:alberto@it.uc3m.es] >> Sent: Tuesday, April 20, 2010 6:25 PM >> To: 'marcelo bagnulo braun'; cga-ext@ietf.org >> Cc: draft-ietf-csi-dhcpv6-cga-ps@tools.ietf.org >> Subject: RE: [CGA-EXT] WGLC for draft-ietf-csi-dhcpv6-cga-ps-01.txt >> >> Hi, >> Some comments: >> >> In section 4 (What CGA can do for DHCPv6), it would help to >> describe the scenario in which CGAs can be used, i.e. >> indicating which of the elements use CGA, and in which part >> of the DHCP configuration process can be beneficial the use >> of CGA. Even though the draft is not devoted to solutions, at >> least it should be shown a scenario in which a possible >> solution could be developed. >> > CGA can be used for all DHCP messages/processes as long as CGA is available. > We will make it clearer in the update version. > > >> In fact, I do not clearly see why using CGA is an advantage in this >> scenario: CGA are good to state that a node has the >> authorization to use a given address, but it is not clear to >> me that it is to say that a node has the authorization to act >> as something (a DHCP server, a relay). For this, some >> configuration is required to bind the 'authorization' to the >> CGA address. How is this done? >> You then say a possible way of achieving this >> > This kind of authorization is based on pre-configuration conditions. For > example, a node has been pre-configured a public key of a certain DHCP > server (or a trust anchor). We will make it clearer in the update version. > > >> "The minimum level of pre-configuration is to >> configure public keys on both parties of communication or have a >> third party authority available for users to retrieve public keys." >> >> Well, the nice thing of CGA is that you don't need to know in >> advance keys, but addresses (and the addresses can be >> securely bound to keys dynamically, by means of conveying the >> CGA parameter data structure, which is verified to see that >> the binding is correct). >> > Agree. However, there is no any restriction that CGA can be used with > authority information together. This draft does not propose any concrete > solution, but list the possibilities. Of course, we should explain clearly > the scenario without any pre-configuration. It will be in the update > version. > > >> I think the configuration should be just the CGA address. But >> then, if you need configuration, which is the benefit over IPsec? >> AFAIU IPsec has a number of benefits on its own: it is the >> current standard for use in DCHP exchange, it allows >> negotiation of security parameters so it is more secure than >> CGAs... The nice thing of CGAs is that in general you use >> them without configuring anything or just by using them as >> addresses (you just configure the DNS, and that's all). >> > The same with above. > > >> May be I'm not understanding properly this part. Can you be >> more specific? >> In addition, as a problem statement document, it should be >> more exhaustive in detailing all the problems which can be >> addressed by CGAs (even though there is no detail on the solution). >> > If you meant the scenario without any pre-configuration, it will be included > in the update version. If you think there are other missing, please point > out. We are glad to include. > > >> --- >> In the second paragraph of the introduction you say: >> >> "By using the associated public& private keys >> as described by SEcure Neighbor Discovery (SEND) >> [RFC3971], CGAs can >> protect the Neighbor Discovery Protocol (NDP) [RFC4861], i.e. they >> can provide address validation and integrity protection for NDP >> messages." >> >> Although this is true, of course, I don't see the point in >> just considering here0020one protocol which use CGAs. The >> draft is about configuring CGAs, and this CGAs can be used >> for any purpose (SEND, SHIM6, any other). Here it seems there >> is a specific dependency on SEND, which I think is not the case. >> I would replace with: >> "CGAs are used in protocols such as SEND [RFC3971] or SHIM6 >> [RFC5533]." or something similar. >> > It will be addressed in the update version. Many thanks for your valuable > comments. > > Best regards, > > Sheng > > >> ---- >> >> Regards, >> Alberto >> >> | -----Mensaje original----- >> | De: cga-ext-bounces@ietf.org [mailto:cga-ext-bounces@ietf.org] En >> | nombre >> de >> | marcelo bagnulo braun >> | Enviado el: martes, 20 de abril de 2010 10:23 >> | Para: cga-ext@ietf.org >> | CC: draft-ietf-csi-dhcpv6-cga-ps@tools.ietf.org >> | Asunto: [CGA-EXT] WGLC for draft-ietf-csi-dhcpv6-cga-ps-01.txt >> | >> | Hi, >> | >> | This note issues the WGLC for draft-ietf-csi-dhcpv6-cga-ps-01.txt >> | Please, review the document and send your comments before >> april the 10th. >> | >> | For your convenience, you can find the document at >> | http://datatracker.ietf.org/doc/draft-ietf-csi-dhcpv6-cga-ps/ >> | >> | Regards, marcelo >> | >> | _______________________________________________ >> | CGA-EXT mailing list >> | CGA-EXT@ietf.org >> | https://www.ietf.org/mailman/listinfo/cga-ext >> >> > >
- Re: [CGA-EXT] WGLC for draft-ietf-csi-dhcpv6-cga-… marcelo bagnulo braun
- [CGA-EXT] WGLC for draft-ietf-csi-dhcpv6-cga-ps-0… marcelo bagnulo braun
- Re: [CGA-EXT] WGLC for draft-ietf-csi-dhcpv6-cga-… marcelo bagnulo braun
- Re: [CGA-EXT] WGLC for draft-ietf-csi-dhcpv6-cga-… Alberto García
- Re: [CGA-EXT] WGLC for draft-ietf-csi-dhcpv6-cga-… Sheng Jiang