Re: [CGA-EXT] Next steps
Tony Cheneau <tony.cheneau@it-sudparis.eu> Sun, 22 November 2009 22:13 UTC
Return-Path: <tony.cheneau@it-sudparis.eu>
X-Original-To: cga-ext@core3.amsl.com
Delivered-To: cga-ext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 173E83A6996 for <cga-ext@core3.amsl.com>; Sun, 22 Nov 2009 14:13:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.249
X-Spam-Level:
X-Spam-Status: No, score=-2.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_FR=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eRVHeGVZkmr3 for <cga-ext@core3.amsl.com>; Sun, 22 Nov 2009 14:13:21 -0800 (PST)
Received: from smtp4.int-evry.fr (smtp4.int-evry.fr [157.159.10.71]) by core3.amsl.com (Postfix) with ESMTP id 251183A6993 for <cga-ext@ietf.org>; Sun, 22 Nov 2009 14:13:19 -0800 (PST)
Received: from smtp2.int-evry.fr (smtp2.int-evry.fr [157.159.10.45]) by smtp4.int-evry.fr (Postfix) with ESMTP id 5346EFE18A8; Sun, 22 Nov 2009 23:13:15 +0100 (CET)
Received: from smtp-ext.int-evry.fr (smtp-ext.int-evry.fr [157.159.11.17]) by smtp2.int-evry.fr (Postfix) with ESMTP id 09467405066; Sun, 22 Nov 2009 23:13:10 +0100 (CET)
Received: from alf94-6-82-226-232-167.fbx.proxad.net (alf94-6-82-226-232-167.fbx.proxad.net [82.226.232.167]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp-ext.int-evry.fr (Postfix) with ESMTP id 9B09590104; Sun, 22 Nov 2009 23:13:09 +0100 (CET)
Date: Sun, 22 Nov 2009 23:13:13 +0100
From: Tony Cheneau <tony.cheneau@it-sudparis.eu>
X-X-Sender: shad@localhost.localdomain
To: Roque Gagliano <roque@lacnic.net>
In-Reply-To: <710B13EF-CF2B-4A95-8A6A-110EA86746EB@lacnic.net>
Message-ID: <alpine.LNX.2.00.0911222253090.11124@localhost.localdomain>
References: <4B03C4C7.2090708@it.uc3m.es> <075252F1-D10D-4FFA-8EEE-C2D185DA5626@lacnic.net> <alpine.LNX.2.00.0911181604410.7611@whitebox> <710B13EF-CF2B-4A95-8A6A-110EA86746EB@lacnic.net>
User-Agent: Alpine 2.00 (LNX 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-INT-MailScanner-Information: Please contact the ISP for more information
X-INT-MailScanner-ID: 09467405066.AD400
X-INT-MailScanner: Found to be clean
X-INT-MailScanner-SpamCheck: n'est pas un polluriel, SpamAssassin (not cached, score=0.805, requis 6.01, BAYES_00 -2.60, FH_HELO_EQ_D_D_D_D 0.00, HELO_DYNAMIC_IPADDR 2.43, RCVD_IN_SORBS_DUL 0.88, RDNS_DYNAMIC 0.10)
X-INT-MailScanner-From: tony.cheneau@it-sudparis.eu
Cc: cga-ext@ietf.org
Subject: Re: [CGA-EXT] Next steps
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Nov 2009 22:13:22 -0000
Hi Rogue, >> I have no opinion to express yet. However, can you clarify your third >> proposal ? You propose to modify RFC 3971 so a CPA message contains >> both a Cert AND the corresponding CRL ? This is somehow an optimization of your first proposal ? > > What I though that could be theoretically possible is that when a host request a certificate, the router could send the certificate and the CRL in the Certification Path Advertisement Message. However, if you have a host that is connected for several hours, you will need to go back to fetch the new version of the CRL from time to time without needing to request the Cert because those are long living. For this reason, option 3 may not be such a good idea. Sending an extra certificates every few hours to keep the protocol "simple" (reusing the same CPS/CPA messages) does not sound too bad for me. Moreover, you could multicast the message to the All-Node address, so all the node on the link can know that a certificate is still valid. What is the opinion of the other people on the list ? >> Another advantage of solution 1 and 3 is that the node can verify the >> validity of a prefix during the Stateless Address Autoconfiguraton >> procedure, before assigning any addresses corresponding to this prefix to >> an interface. This, IMHO, is an important feature. >> > > It is true that with option 2 you probably would need global unicast addresses to access the repositories that are outside of the local network while with option 1 you could send CRL request messages to the router using link local addresses. Is this what you meant? Not exactly what I meant. I meant, you could send CPS/CRS message with the unspecified source address and receive a CPA/CRA from the router destined to the All-Nodes Multicast Address. Hence, you do not need to assign any addresses to our interfaces until you are sure that router's certificate has not been revoked. Regards, Tony
- [CGA-EXT] Next steps marcelo bagnulo braun
- Re: [CGA-EXT] Next steps Roque Gagliano
- Re: [CGA-EXT] Next steps Tony Cheneau
- Re: [CGA-EXT] Next steps Tony Cheneau