Re: [CGA-EXT] Next steps

Tony Cheneau <tony.cheneau@it-sudparis.eu> Sun, 22 November 2009 22:13 UTC

Return-Path: <tony.cheneau@it-sudparis.eu>
X-Original-To: cga-ext@core3.amsl.com
Delivered-To: cga-ext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 173E83A6996 for <cga-ext@core3.amsl.com>; Sun, 22 Nov 2009 14:13:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.249
X-Spam-Level:
X-Spam-Status: No, score=-2.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_FR=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eRVHeGVZkmr3 for <cga-ext@core3.amsl.com>; Sun, 22 Nov 2009 14:13:21 -0800 (PST)
Received: from smtp4.int-evry.fr (smtp4.int-evry.fr [157.159.10.71]) by core3.amsl.com (Postfix) with ESMTP id 251183A6993 for <cga-ext@ietf.org>; Sun, 22 Nov 2009 14:13:19 -0800 (PST)
Received: from smtp2.int-evry.fr (smtp2.int-evry.fr [157.159.10.45]) by smtp4.int-evry.fr (Postfix) with ESMTP id 5346EFE18A8; Sun, 22 Nov 2009 23:13:15 +0100 (CET)
Received: from smtp-ext.int-evry.fr (smtp-ext.int-evry.fr [157.159.11.17]) by smtp2.int-evry.fr (Postfix) with ESMTP id 09467405066; Sun, 22 Nov 2009 23:13:10 +0100 (CET)
Received: from alf94-6-82-226-232-167.fbx.proxad.net (alf94-6-82-226-232-167.fbx.proxad.net [82.226.232.167]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp-ext.int-evry.fr (Postfix) with ESMTP id 9B09590104; Sun, 22 Nov 2009 23:13:09 +0100 (CET)
Date: Sun, 22 Nov 2009 23:13:13 +0100 (CET)
From: Tony Cheneau <tony.cheneau@it-sudparis.eu>
X-X-Sender: shad@localhost.localdomain
To: Roque Gagliano <roque@lacnic.net>
In-Reply-To: <710B13EF-CF2B-4A95-8A6A-110EA86746EB@lacnic.net>
Message-ID: <alpine.LNX.2.00.0911222253090.11124@localhost.localdomain>
References: <4B03C4C7.2090708@it.uc3m.es> <075252F1-D10D-4FFA-8EEE-C2D185DA5626@lacnic.net> <alpine.LNX.2.00.0911181604410.7611@whitebox> <710B13EF-CF2B-4A95-8A6A-110EA86746EB@lacnic.net>
User-Agent: Alpine 2.00 (LNX 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-INT-MailScanner-Information: Please contact the ISP for more information
X-INT-MailScanner-ID: 09467405066.AD400
X-INT-MailScanner: Found to be clean
X-INT-MailScanner-SpamCheck: n'est pas un polluriel, SpamAssassin (not cached, score=0.805, requis 6.01, BAYES_00 -2.60, FH_HELO_EQ_D_D_D_D 0.00, HELO_DYNAMIC_IPADDR 2.43, RCVD_IN_SORBS_DUL 0.88, RDNS_DYNAMIC 0.10)
X-INT-MailScanner-From: tony.cheneau@it-sudparis.eu
Cc: cga-ext@ietf.org
Subject: Re: [CGA-EXT] Next steps
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Nov 2009 22:13:22 -0000

Hi Rogue,

>> I have no opinion to express yet. However, can you clarify your third
>> proposal ? You propose to modify RFC 3971 so a CPA message contains
>> both a Cert AND the corresponding CRL ? This is somehow an optimization of your first proposal ?
>
> What I though that could be theoretically possible is that when a host request a certificate, the router could send the certificate and the CRL in the Certification Path Advertisement Message. However, if you have a host that is connected for several hours, you will need to go back to fetch the new version of the CRL from time to time without needing to request the Cert because those are long living. For this reason, option 3 may not be such a good idea.
Sending an extra certificates every few hours to keep the protocol
"simple" (reusing the same CPS/CPA messages) does not sound too bad for
me. Moreover, you could multicast the message to the All-Node
address, so all the node on the link can know that a certificate is
still valid. What is the opinion of the other people on the list ?


>> Another advantage of solution 1 and 3 is that the node can verify the
>> validity of a prefix during the Stateless Address Autoconfiguraton
>> procedure, before assigning any addresses corresponding to this prefix to
>> an interface. This, IMHO, is an important feature.
>>
>
> It is true that with option 2 you probably would need global unicast addresses to access the repositories that are outside of the local network while with option 1 you could send CRL request messages to the router using link local addresses. Is this what you meant?
Not exactly what I meant. I meant, you could send CPS/CRS message with the 
unspecified source address and receive a CPA/CRA from the router destined 
to the All-Nodes Multicast Address. Hence, you do not need to assign any 
addresses to our interfaces until you are sure that router's certificate 
has not been revoked.

Regards,
 	Tony