[CGA-EXT] Supporting non-CGA addresses in SEND
Eric Levy-Abegnoli <elevyabe@cisco.com> Tue, 04 March 2008 14:59 UTC
Return-Path: <cga-ext-bounces@ietf.org>
X-Original-To: ietfarch-cga-ext-archive@core3.amsl.com
Delivered-To: ietfarch-cga-ext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 372C128C475; Tue, 4 Mar 2008 06:59:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[AWL=-1.540, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id by67HZvEGank; Tue, 4 Mar 2008 06:59:07 -0800 (PST)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3AE1028C5F9; Tue, 4 Mar 2008 06:59:07 -0800 (PST)
X-Original-To: cga-ext@core3.amsl.com
Delivered-To: cga-ext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 03F303A6A07 for <cga-ext@core3.amsl.com>; Tue, 4 Mar 2008 06:59:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id myXH2bgq6RW1 for <cga-ext@core3.amsl.com>; Tue, 4 Mar 2008 06:58:57 -0800 (PST)
Received: from ams-iport-1.cisco.com (ams-iport-1.cisco.com [144.254.224.140]) by core3.amsl.com (Postfix) with ESMTP id 5021C28C64C for <cga-ext@ietf.org>; Tue, 4 Mar 2008 06:57:53 -0800 (PST)
X-IronPort-AV: E=Sophos; i="4.25,444,1199660400"; d="txt'?scan'208"; a="2486376"
Received: from ams-dkim-1.cisco.com ([144.254.224.138]) by ams-iport-1.cisco.com with ESMTP; 04 Mar 2008 15:57:41 +0100
Received: from ams-core-1.cisco.com (ams-core-1.cisco.com [144.254.224.150]) by ams-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id m24EvflO010623 for <cga-ext@ietf.org>; Tue, 4 Mar 2008 15:57:41 +0100
Received: from xbh-ams-332.emea.cisco.com (xbh-ams-332.cisco.com [144.254.231.87]) by ams-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id m24EvLHM014606 for <cga-ext@ietf.org>; Tue, 4 Mar 2008 14:57:41 GMT
Received: from xmb-ams-335.cisco.com ([144.254.231.80]) by xbh-ams-332.emea.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 4 Mar 2008 15:57:41 +0100
Received: from printer-nice-144-254-53-196.cisco.com ([144.254.53.196]) by xmb-ams-335.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 4 Mar 2008 15:57:40 +0100
From: Eric Levy-Abegnoli <elevyabe@cisco.com>
Organization: Cisco
To: cga-ext@ietf.org
Date: Tue, 04 Mar 2008 15:52:42 +0100
User-Agent: KMail/1.9.7
MIME-Version: 1.0
Content-Type: Multipart/Mixed; boundary="Boundary-00=_7IWzHOt7izhAtuE"
Message-Id: <200803041552.43038.elevyabe@cisco.com>
X-OriginalArrivalTime: 04 Mar 2008 14:57:40.0878 (UTC) FILETIME=[1812C2E0:01C87E08]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=27283; t=1204642661; x=1205506661; c=relaxed/simple; s=amsdkim1002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=elevyabe@cisco.com; z=From:=20Eric=20Levy-Abegnoli=20<elevyabe@cisco.com> |Subject:=20Supporting=20non-CGA=20addresses=20in=20SEND |Sender:=20; bh=RqayPWBkmwjw8NhqQySu0159QxpODu0waMwtSev1uT0=; b=In+tl9SXi/OmKu88RbTcm+T+KOpLe3cpPhdunG21gr74Ucqs2IE1wY54tY AXqOxgXkmA8UUIx9ICQwQ8WkltYdtunrVHjWoM2kPrMFFUnmFsaL9S0856xZ gS1gxjEl98;
Authentication-Results: ams-dkim-1; header.From=elevyabe@cisco.com; dkim=pass ( sig from cisco.com/amsdkim1002 verified; );
Subject: [CGA-EXT] Supporting non-CGA addresses in SEND
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
Sender: cga-ext-bounces@ietf.org
Errors-To: cga-ext-bounces@ietf.org
Hello, please find here attached a set of proposed changes to RFC3971, to support non-CGA adresses. Even though non-cga addresses are touched in several places in the current spec, there are also may holes, left "for future work". This proposal intend to fill the holes. On the motivation front: - some devices need secure handcrafted addresses, so SEND should provide complete specification for securing these addresses in NDP. - CGA brings "only" address ownership proof, while sometimes, address authorization is needed. - CGA may not be considered secure enough (due to number of crypto bits availabale) and a stronger scheeme is needed. As far as the mechanism to secure non-CGA addesses, it is already suggested in 3971. The proposed scheme use certificates, exchanged thru CPS/CPA and trust anchor, exactly like in Authorization Delegation Discovery. In order to come up the text below, I have chased every place where CGA was required, and added the alternative to use certificates. The changes decribe the flow necessary to authorize addresses and establish address ownership with certificate. It also describes an "Address Authorization Certificate" Profile, and indicates its relashionship with the Router Authorization Certificate Profile. Review, and comments welcome Thank! Eric Levy-Abegnoli
_______________________________________________ CGA-EXT mailing list CGA-EXT@ietf.org https://www.ietf.org/mailman/listinfo/cga-ext
- [CGA-EXT] Supporting non-CGA addresses in SEND Eric Levy-Abegnoli