Re: [CGA-EXT] New Version for draft-krishnan-csi-proxy-send-00
Julien Laganier <julien.IETF@laposte.net> Thu, 19 June 2008 08:08 UTC
Return-Path: <cga-ext-bounces@ietf.org>
X-Original-To: cga-ext-archive@optimus.ietf.org
Delivered-To: ietfarch-cga-ext-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8761E3A694C; Thu, 19 Jun 2008 01:08:45 -0700 (PDT)
X-Original-To: cga-ext@core3.amsl.com
Delivered-To: cga-ext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AC2E83A694C for <cga-ext@core3.amsl.com>; Thu, 19 Jun 2008 01:08:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.451
X-Spam-Level:
X-Spam-Status: No, score=-2.451 tagged_above=-999 required=5 tests=[AWL=0.148, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B7MQ-kcOdXUK for <cga-ext@core3.amsl.com>; Thu, 19 Jun 2008 01:08:42 -0700 (PDT)
Received: from ik-out-1112.google.com (ik-out-1112.google.com [66.249.90.182]) by core3.amsl.com (Postfix) with ESMTP id 15D1F3A6922 for <cga-ext@ietf.org>; Thu, 19 Jun 2008 01:08:41 -0700 (PDT)
Received: by ik-out-1112.google.com with SMTP id c28so402319ika.5 for <cga-ext@ietf.org>; Thu, 19 Jun 2008 01:09:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:subject:date :user-agent:cc:references:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:message-id:sender; bh=7cGjh34VIMqOky2a/YYxNNsGd97ax7BKkcqizpso2pI=; b=ALfnMpdTUs2hbZ6akC6hlhd5cunfPfnVHNfLEOPhCeBa2jT/OJIebHzOlqfbvgFa1z YCp/mRMw0O/Wt8Pm40zrPd+iqUrMvshtVCYisGCJGPAEsVxl7LMjGPfAteEsKQTyUvwQ 0IrPiXusL2QCCqe4X1ysj4lvQSlonzSV2CWeM=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding :content-disposition:message-id:sender; b=prUJJGMGOccxRX4KmxC63j3zEsLPca2qo4LijwItVqr+FNZA0lkGXIhDsGNXa9anEh QgaM+QClx3DJtbU9OIlYiyaqzHkQ0vffAzRPjjYPVZBtfGDg8WPLRL7B6XtALE3FT1xZ NgEL15ciWoS4HmQCfFN8xYCt5sbGbsp6ka8uA=
Received: by 10.210.47.1 with SMTP id u1mr1506176ebu.133.1213862969438; Thu, 19 Jun 2008 01:09:29 -0700 (PDT)
Received: from klee.local ( [212.119.9.178]) by mx.google.com with ESMTPS id f13sm557277gvd.2.2008.06.19.01.09.27 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 19 Jun 2008 01:09:28 -0700 (PDT)
From: Julien Laganier <julien.IETF@laposte.net>
To: cga-ext@ietf.org
Date: Thu, 19 Jun 2008 10:09:30 +0200
User-Agent: KMail/1.9.9
References: <729b68be0806061730y7bf7f8e7ld3d2b2a5de4155f5@mail.gmail.com> <200806121653.22293.julien.IETF@laposte.net> <729b68be0806181102n12449c7ahe631c725a5ce3ad1@mail.gmail.com>
In-Reply-To: <729b68be0806181102n12449c7ahe631c725a5ce3ad1@mail.gmail.com>
MIME-Version: 1.0
Content-Disposition: inline
Message-Id: <200806191009.31063.julien.IETF@laposte.net>
Subject: Re: [CGA-EXT] New Version for draft-krishnan-csi-proxy-send-00
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: cga-ext-bounces@ietf.org
Errors-To: cga-ext-bounces@ietf.org
On Wednesday 18 June 2008, Jean-Michel Combes wrote: > Hi Julien, Hi Jean-Michel, > 2008/6/12, Julien Laganier <julien.IETF@laposte.net>: > > Hello Jean-Michel, > > > > On Saturday 07 June 2008, Jean-Michel Combes wrote: > > > Hi, > > > > > > After a quick review, I have one comment and one question: > > > - IMHO, your solution should work too with anycast addresses > > > case > > > > It seems so. It also seems it would work to secure NS/NA exchange > > based on certificates rather than CGA. > > Not sure that certs defined in krishnan-cgaext-send-cert-eku are well > adapted for such a use: IMHO, prefix ownership is not the same as > address ownership. An address is a "degenerated" prefix, i.e. a /128 prefix. From that point of view address ownership is just a special case of prefix ownership. But what you seems to get at is that authorization to advertize a prefix is different from ownership of that prefix, and there I agree. I don't think we'd have a problem since what I proposed is to use different EKU to clearly distinguish between "Address ownership", i.e. in the context of SEND the authorization to issue ND signalling for a given IP address, vs. "router", i.e. the authorization to issue ND signalling advertizing a given IP prefix, and "proxy", i.e. the ability to issue ND signalling for any IP address within a given IP prefix. > > To achieve that it would also be > > necessary to define another EKU (extended key usage) for "Address > > ownership", in addition to "Router" and "Proxy". > > But what is in the cert when you want to use it to proxy NS/NA? An > address or a prefix? There seems to be a confusion here. The usage of certs for address ownesrhip and security of NS/NA exchanges I proposed in the previous message is orthogonal to support of proxy ND, these are two different things. The draft proposes to use certificates to support proxy ND, in which case the cert contains either the on-link prefix, or nothing. For the address ownership usage I proposed, the cert would contain the address of the node asserting ownership without CGA. > > > - How will a ND-Proxy get the certificate authorizing it to act > > > as an ND-Proxy? > > > > In the same fashion that a Router gets the certificate authorizing > > it to act as a router. > > May I have details in the case of the MIPv6 scenario? Specially, who > does provide the cert? In my view there's no difference between provisioning of authorizatoin certificates on router vs. home agents. Not sure what kind of detail you're concerned about. It would help if you would sketch up the detailed provisionning of certificates on a router and point out to the steps that are different for a HA in your opinion. Cheers, --julien _______________________________________________ CGA-EXT mailing list CGA-EXT@ietf.org https://www.ietf.org/mailman/listinfo/cga-ext
- Re: [CGA-EXT] New Version for draft-krishnan-csi-… Jean-Michel Combes
- Re: [CGA-EXT] New Version for draft-krishnan-csi-… Julien Laganier
- Re: [CGA-EXT] New Version for draft-krishnan-csi-… Silviu VLASCEANU
- Re: [CGA-EXT] New Version for draft-krishnan-csi-… Julien Laganier
- Re: [CGA-EXT] New Version for draft-krishnan-csi-… Jean-Michel Combes
- Re: [CGA-EXT] New Version for draft-krishnan-csi-… Suresh Krishnan
- Re: [CGA-EXT] New Version for draft-krishnan-csi-… Jean-Michel Combes
- Re: [CGA-EXT] New Version for draft-krishnan-csi-… Julien Laganier
- Re: [CGA-EXT] New Version for draft-krishnan-csi-… Julien Laganier
- Re: [CGA-EXT] New Version for draft-krishnan-csi-… Suresh Krishnan
- Re: [CGA-EXT] New Version for draft-krishnan-csi-… Jean-Michel Combes