Re: [CGA-EXT] WGLC for draft-ietf-csi-dhcpv6-cga-ps-01.txt

marcelo bagnulo braun <> Thu, 22 April 2010 06:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2F2B63A6B2A for <>; Wed, 21 Apr 2010 23:02:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -105.212
X-Spam-Status: No, score=-105.212 tagged_above=-999 required=5 tests=[AWL=-1.213, BAYES_50=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id kqBFSi+-+ePd for <>; Wed, 21 Apr 2010 23:02:46 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 8D0153A6B85 for <>; Wed, 21 Apr 2010 22:58:29 -0700 (PDT)
X-uc3m-safe: yes
Received: from marcelo-bagnulos-macbook-pro.local ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTP id 8525A7F732E; Thu, 22 Apr 2010 07:58:17 +0200 (CEST)
Message-ID: <>
Date: Thu, 22 Apr 2010 07:58:17 +0200
From: marcelo bagnulo braun <>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; es-ES; rv: Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: Sheng Jiang <>
References: <001d01cae0fd$af56f5e0$>
In-Reply-To: <001d01cae0fd$af56f5e0$>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
X-TM-AS-Product-Ver: IMSS-
Subject: Re: [CGA-EXT] WGLC for draft-ietf-csi-dhcpv6-cga-ps-01.txt
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: CGA and SeND Extensions <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 22 Apr 2010 06:02:47 -0000

In order to expedite the work on this draft and since the comments 
received seem to be more than editorial, i would suggest that the 
authors do send a proposed text to the mailing list for discussion as 
soon as possible (rather than waiting for the WGLC to end and submit a 
new version of the draft)

Regards, marcelo

El 21/04/10 4:52, Sheng Jiang escribió:
> Dear Alberto,
> Thanks for your comments. Most of them will be addressed in an update
> version after WGLC among with other comments we may received. Detailed
> replies in lines.
> Best regards,
> Sheng
>> -----Original Message-----
>> From: Alberto García []
>> Sent: Tuesday, April 20, 2010 6:25 PM
>> To: 'marcelo bagnulo braun';
>> Cc:
>> Subject: RE: [CGA-EXT] WGLC for draft-ietf-csi-dhcpv6-cga-ps-01.txt
>> Hi,
>> Some comments:
>> In section 4 (What CGA can do for DHCPv6), it would help to
>> describe the scenario in which CGAs can be used, i.e.
>> indicating which of the elements use CGA, and in which part
>> of the DHCP configuration process can be beneficial the use
>> of CGA. Even though the draft is not devoted to solutions, at
>> least it should be shown a scenario in which a possible
>> solution could be developed.
> CGA can be used for all DHCP messages/processes as long as CGA is available.
> We will make it clearer in the update version.
>> In fact, I do not clearly see why using CGA is an advantage in this
>> scenario: CGA are good to state that a node has the
>> authorization to use a given address, but it is not clear to
>> me that it is to say that a node has the authorization to act
>> as something (a DHCP server, a relay). For this, some
>> configuration is required to bind the 'authorization' to the
>> CGA address. How is this done?
>> You then say a possible way of achieving this
> This kind of authorization is based on pre-configuration conditions. For
> example, a node has been pre-configured a public key of a certain DHCP
> server (or a trust anchor). We will make it clearer in the update version.
>> "The minimum level of pre-configuration is to
>>     configure public keys on both parties of communication or have a
>>     third party authority available for users to retrieve public keys."
>> Well, the nice thing of CGA is that you don't need to know in
>> advance keys, but addresses (and the addresses can be
>> securely bound to keys dynamically, by means of conveying the
>> CGA parameter data structure, which is verified to see that
>> the binding is correct).
> Agree. However, there is no any restriction that CGA can be used with
> authority information together. This draft does not propose any concrete
> solution, but list the possibilities. Of course, we should explain clearly
> the scenario without any pre-configuration. It will be in the update
> version.
>> I think the configuration should be just the CGA address. But
>> then, if you need configuration, which is the benefit over IPsec?
>> AFAIU IPsec has a number of benefits on its own: it is the
>> current standard for use in DCHP exchange, it allows
>> negotiation of security parameters so it is more secure than
>> CGAs... The nice thing of CGAs is that in general you use
>> them without configuring anything or just by using them as
>> addresses (you just configure the DNS, and that's all).
> The same with above.
>> May be I'm not understanding properly this part. Can you be
>> more specific?
>> In addition, as a problem statement document, it should be
>> more exhaustive in detailing all the problems which can be
>> addressed by CGAs (even though there is no detail on the solution).
> If you meant the scenario without any pre-configuration, it will be included
> in the update version. If you think there are other missing, please point
> out. We are glad to include.
>> ---
>> In the second paragraph of the introduction you say:
>> "By using the associated public&  private keys
>>     as described by SEcure Neighbor Discovery (SEND)
>> [RFC3971], CGAs can
>>     protect the Neighbor Discovery Protocol (NDP) [RFC4861], i.e. they
>>     can provide address validation and integrity protection for NDP
>>     messages."
>> Although this is true, of course, I don't see the point in
>> just considering here0020one protocol which use CGAs. The
>> draft is about configuring CGAs, and this CGAs can be used
>> for any purpose (SEND, SHIM6, any other). Here it seems there
>> is a specific dependency on SEND, which I think is not the case.
>> I would replace with:
>> "CGAs are used in protocols such as SEND [RFC3971] or SHIM6
>> [RFC5533]."  or something similar.
> It will be addressed in the update version. Many thanks for your valuable
> comments.
> Best regards,
> Sheng
>> ----
>> Regards,
>> Alberto
>> |  -----Mensaje original-----
>> |  De: [] En
>> | nombre
>> de
>> |  marcelo bagnulo braun
>> |  Enviado el: martes, 20 de abril de 2010 10:23
>> |  Para:
>> |  CC:
>> |  Asunto: [CGA-EXT] WGLC for draft-ietf-csi-dhcpv6-cga-ps-01.txt
>> |
>> |  Hi,
>> |
>> |  This note issues the WGLC for draft-ietf-csi-dhcpv6-cga-ps-01.txt
>> |  Please, review the document and send your comments before
>> april the 10th.
>> |
>> |  For your convenience, you can find the document at
>> |
>> |
>> |  Regards, marcelo
>> |
>> |  _______________________________________________
>> |  CGA-EXT mailing list
>> |
>> |