Re: [CGA-EXT] SEND checksum issue in current RFC 3791 - update needed
arno@natisbad.org (Arnaud Ebalard) Thu, 17 September 2009 08:59 UTC
Return-Path: <arno@natisbad.org>
X-Original-To: cga-ext@core3.amsl.com
Delivered-To: cga-ext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1B5BE28C12B for <cga-ext@core3.amsl.com>; Thu, 17 Sep 2009 01:59:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.578
X-Spam-Level:
X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[AWL=0.021, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4rXrXpYj1RH9 for <cga-ext@core3.amsl.com>; Thu, 17 Sep 2009 01:59:22 -0700 (PDT)
Received: from copper.chdir.org (copper.chdir.org [88.191.97.87]) by core3.amsl.com (Postfix) with ESMTP id 028BF3A67AD for <cga-ext@ietf.org>; Thu, 17 Sep 2009 01:59:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=natisbad.org; s=mail; h=From:To:Cc:Subject:References:Date: In-Reply-To:Message-ID:MIME-Version:Content-Type; bh=5jeJfjlUOPK U8PrcQwpp3wD41mhHrVIOKKlrA07yt5U=; b=PMFsL3pfqdMAopWcYlbWWKQyfZ8 rvrDK55wJcVo7jJkJ51qjnI6ChCKWGOJZ0DebidsKWvweaahb2lP7whoHLGs6QEz a96cRk2hnqqM1K9Jir04N/fxQf4mMc/TDSWMlxB07QpvfBcYwgEGqU+fFw7eVl0R nuf6F3xRxCVyp3Ws=
Received: from [2001:7a8:78df:2:20d:93ff:fe55:8f79] (helo=small.ssi.corp) by copper.chdir.org with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <arno@natisbad.org>) id 1MoCqY-0003uJ-51; Thu, 17 Sep 2009 11:00:10 +0200
From: arno@natisbad.org
To: Eric Levy-Abegnoli <elevyabe@cisco.com>
References: <002501ca376a$5eb39950$3a0c6f0a@china.huawei.com> <4AB1EB54.4000903@cisco.com>
X-PGP-Key-URL: http://natisbad.org/arno@natisbad.org.asc
X-Fingerprint: 47EB 85FE B99A AB85 FD09 46F3 0255 957C 047A 5026
X-Hashcash: 1:20:090917:cga-ext@ietf.org::De2AiJC1J+QpaZkJ:00wNm
X-Hashcash: 1:20:090917:wdwang@bupt.edu.cn::ybwcj+dYchaYhMLF:00000000000000000000000000000000000000000000RFr
X-Hashcash: 1:20:090917:elevyabe@cisco.com::ANlMTU6jgy6LFuLK:00000000000000000000000000000000000000000003PrO
X-Hashcash: 1:20:090917:shengjiang@huawei.com::L0E8lgHQzHqNoE+j:00000000000000000000000000000000000000007TWo
Date: Thu, 17 Sep 2009 11:00:50 +0200
In-Reply-To: <4AB1EB54.4000903@cisco.com> (Eric Levy-Abegnoli's message of "Thu, 17 Sep 2009 09:55:00 +0200")
Message-ID: <87my4uoshp.fsf@small.ssi.corp>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/23.0.92 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: 'wdwang' <wdwang@bupt.edu.cn>, cga-ext@ietf.org
Subject: Re: [CGA-EXT] SEND checksum issue in current RFC 3791 - update needed
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Sep 2009 08:59:23 -0000
Hi, >> Yes, it is an issue must be clearly clarified in the specification. >> Actually, there are two possibility here (which makes more important that >> specification should be clearly follow only one of them): Not arguing on the fact that "A" will be kept because it is the "implemented" solution (Docomo implementation, Cisco, probably Juniper too). >> A, if we would like to follow the drscription in Section 5.2.1 RFC 3791, the >> input of RSA signature should be a checksum calculated without RSA signature >> and it will be recalculated after signature attached. On the receiver side, >> ICMP checksum should be validated, then signature validate, then maybe >> checksum validate again. For the records (correction welcome if I missed sth), Signature computation: - Create ICMPv6 message w/o RSA Signature option - Compute ICMPv6 checksum as usual using the pseudo-header (current length, i.e. w/o the RSA Signature option) - Set that checksum in checksum field of the ICMPv6 header - Compute RSA Sig as described in section 5.2 of RFC 3971 - Add RSA Signature Option at the end of the ICMPv6 message - Update ICMPv6 packet length to include RSA Sig option - Update IPv6 payload length to reflect addition of RSA Sig option - Update ICMPv6 checksum using updated pseudo-header for the computation (length value modified + addition of RSA Signature Option) Signature verification: - Verify ICMPv6 checksum as usual on received message (obviously, including RSA Signature option) - Remove RSA Signature option from the packet - Update IPv6 length field to reflect previous removal - Recompute the checksum on the packet based on the new values (and w/o the RSA Sig Opt in the message) - Verify RSA Signature as described in RFC 3971 >> B, more efficiently, on the sender side, as you said, the input of RSA >> signature should be a checksum with all 0, and after signature attached, the >> checksim is computed over the whole packet. However, this makes the >> signature over checksum totally meaningless. Alternatively, we may take >> checksum bits out from the RSA signature input. Performing the signature over the given layout with the null checksum prevents useless copies: you zero the field, pass the whole buffer to your signature function w/o the need to copy things to create a different layout. But I guess this does not matter anymore. Cheers, a+
- [CGA-EXT] SEND checksum issue in current RFC 3791… Sheng Jiang
- Re: [CGA-EXT] SEND checksum issue in current RFC … Arnaud Ebalard
- Re: [CGA-EXT] SEND checksum issue in current RFC … Sheng Jiang
- Re: [CGA-EXT] SEND checksum issue in current RFC … Eric Levy-Abegnoli
- Re: [CGA-EXT] SEND checksum issue in current RFC … Arnaud Ebalard
- Re: [CGA-EXT] SEND checksum issue in current RFC … Eric Levy-Abegnoli
- Re: [CGA-EXT] SEND checksum issue in current RFC … Arnaud Ebalard
- Re: [CGA-EXT] SEND checksum issue in current RFC … Arnaud Ebalard
- Re: [CGA-EXT] SEND checksum issue in current RFC … Sheng Jiang
- Re: [CGA-EXT] SEND checksum issue in current RFC … Sheng Jiang
- Re: [CGA-EXT] SEND checksum issue in current RFC … Sheng Jiang
- Re: [CGA-EXT] SEND checksum issue in current RFC … gx su
- Re: [CGA-EXT] SEND checksum issue in current RFC … Arnaud Ebalard