IETF Logo Mail Archive

Re: [CGA-EXT] New Version for draft-krishnan-csi-proxy-send-00

Julien Laganier <julien.IETF@laposte.net> Thu, 19 June 2008 08:23 UTC

Return-Path: <cga-ext-bounces@ietf.org>
X-Original-To: cga-ext-archive@optimus.ietf.org
Delivered-To: ietfarch-cga-ext-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B60483A6922; Thu, 19 Jun 2008 01:23:37 -0700 (PDT)
X-Original-To: cga-ext@core3.amsl.com
Delivered-To: cga-ext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C2F7D3A6922 for <cga-ext@core3.amsl.com>; Thu, 19 Jun 2008 01:23:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.454
X-Spam-Level:
X-Spam-Status: No, score=-2.454 tagged_above=-999 required=5 tests=[AWL=0.145, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a5qrdi1vK9H0 for <cga-ext@core3.amsl.com>; Thu, 19 Jun 2008 01:23:35 -0700 (PDT)
Received: from ik-out-1112.google.com (ik-out-1112.google.com [66.249.90.182]) by core3.amsl.com (Postfix) with ESMTP id 020093A6892 for <cga-ext@ietf.org>; Thu, 19 Jun 2008 01:23:34 -0700 (PDT)
Received: by ik-out-1112.google.com with SMTP id c28so404704ika.5 for <cga-ext@ietf.org>; Thu, 19 Jun 2008 01:24:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:subject:date :user-agent:cc:references:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:message-id:sender; bh=e3/+yh40zUT1ynEM9tpdgQNcUtrnRlvksMSzESSd5pY=; b=T7wpxnOViYvuonT0Oyhjfp8vFRNeNBS9mBj3Ru0JtFlM8m6ftoDgIyArOCCUzlkl9K DxAwnPt3DNgoyuRilk8WQJczfdQzKQVf6AHWYfXdzoysLNgQHvFi0/EeMhOCCMWUjDty 0u5SxQ4yoW7TW89eNFMD9RoG5z6PuZOE4Pmvk=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding :content-disposition:message-id:sender; b=dPW5UHmWgrrpi6+PO4telUPbu1XVhdR+652W8FhWU0tGd/2HapgntAbHcIBvb02L3G 4BZ7wz9pCFt0M8334L7NKzvoV9rAWbRffh2l84kpld6rfrKsIu0YcbI1tRtTfDcRCLh+ 3cg/hoUYBnCWonIKgMLQ7eNH4N6G3FYzbFMRQ=
Received: by 10.210.91.17 with SMTP id o17mr1560526ebb.172.1213863864497; Thu, 19 Jun 2008 01:24:24 -0700 (PDT)
Received: from klee.local ( [212.119.9.178]) by mx.google.com with ESMTPS id j8sm591923gvb.1.2008.06.19.01.24.21 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 19 Jun 2008 01:24:23 -0700 (PDT)
From: Julien Laganier <julien.IETF@laposte.net>
To: cga-ext@ietf.org
Date: Thu, 19 Jun 2008 10:24:26 +0200
User-Agent: KMail/1.9.9
References: <729b68be0806061730y7bf7f8e7ld3d2b2a5de4155f5@mail.gmail.com> <485950F5.9020107@ericsson.com> <729b68be0806181414q2b8cdc17vd37b6fee1aa83892@mail.gmail.com>
In-Reply-To: <729b68be0806181414q2b8cdc17vd37b6fee1aa83892@mail.gmail.com>
MIME-Version: 1.0
Content-Disposition: inline
Message-Id: <200806191024.26564.julien.IETF@laposte.net>
Subject: Re: [CGA-EXT] New Version for draft-krishnan-csi-proxy-send-00
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: cga-ext-bounces@ietf.org
Errors-To: cga-ext-bounces@ietf.org

On Wednesday 18 June 2008, Jean-Michel Combes wrote:
> Hi Suresh,

Hello Jean-Michel,

> Sorry but some points are unclear for me.

Let's try to clear them then.

> At first, what are assumptions you have regarding the MN?
> From my point of view, the MN is able to use SEND: in using either
> CGA or a cert linked to its address. Is it the same assumption for
> you because I am not sure this is the case? :)

First let's talk about nodes rather than MN since I don't see what's 
specific about mobility in this discussion.

With the current SEND a node has no alternative to CGA to prove address 
ownership. I evocated a possible use of certificates for that purpose 
but that is unspecified. At last IETF, Eric Levy-Abegnoli also 
presented modifications to the SEND specification that would allow use 
of certificates.

This use of certified addresses is orthogonal the the Secure Proxy ND 
discussion, although the solution is the same, i.e. using a certificate 
to authorize issuing ND signalling for one/some addresses.

> Second point, if the MN have a CGA, how does the ND Proxy get the
> cert which will allow it to sign the NDP signaling instead of the MN?

Like a router does. The certificate of the ND proxy doesn't need to 
contain the address the specific address of a MN, it can simply contain 
a prefix advertized on the links, thus authorizing the ND proxy to 
issue ND signalling for all addresses under that prefix. The 
certificate can also contain no prefix at all, in which case the ND 
proxy can issue ND signalling for any address.

> Last point, if the MN have a cert linked to its address, how does
> this cert is provided to the MN?

That's again orthogonal to secure ND proxy, but let me answer once more: 
in a similar fashion that a router does, e.g. the administrator install 
the certificate on the node, like it does on the router.

> Thanks for your help.

You're welcome.

--julien

> 2008/6/18, Suresh Krishnan <suresh.krishnan@ericsson.com>:
> > Hi Jean-Michel,
> >   Please see comments inline
> >
> >  Jean-Michel Combes wrote:
> > > Hi Julien,
> > >
> > > 2008/6/12, Julien Laganier <julien.IETF@laposte.net>:
> > > > Hello Jean-Michel,
> > > >
> > > >  On Saturday 07 June 2008, Jean-Michel Combes wrote:
> > > >  > Hi,
> > > >  >
> > > >  > After a quick review, I have one comment and one question:
> > > >  > - IMHO, your solution should work too with anycast addresses
> > > >  > case
> > > >
> > > > It seems so. It also seems it would work to secure NS/NA
> > > > exchange based on certificates rather than CGA.
> > >
> > > Not sure that certs defined in krishnan-cgaext-send-cert-eku are
> > > well adapted for such a use: IMHO, prefix ownership is not the
> > > same as address ownership.
> >
> >  Why not :-)? If the IP address in the certificate is a /128 and
> > the EKU value is "owner" (or some variant of this), these
> > certificates can be used for address ownership.
> >
> > > > To achieve that it would also be
> > > >  necessary to define another EKU (extended key usage) for
> > > > "Address ownership", in addition to "Router" and "Proxy".
> > >
> > > But what is in the cert when you want to use it to proxy NS/NA?
> > > An address or a prefix?
> >
> >  The /128 address of the node with eku value of "owner"
> >
> > > >  > - How will a ND-Proxy get the certificate authorizing it to
> > > >  > act as an ND-Proxy?
> > > >
> > > > In the same fashion that a Router gets the certificate
> > > > authorizing it to act as a router.
> > >
> > > May I have details in the case of the MIPv6 scenario? Specially,
> > > who does provide the cert?
> >
> >  In very basic terms, the certificate is provided by anyone the MN
> > that the MN trusts. e.g. this could be the mobility service
> > provider.
> >
> >  Cheers
> >  Suresh
>
> _______________________________________________
> CGA-EXT mailing list
> CGA-EXT@ietf.org
> https://www.ietf.org/mailman/listinfo/cga-ext


_______________________________________________
CGA-EXT mailing list
CGA-EXT@ietf.org
https://www.ietf.org/mailman/listinfo/cga-ext

v2.23.0 | Report a Bug | By Email