Re: [CGA-EXT] Comments on draft-ietf-csi-proxy-send-01

Tony Cheneau <tony.cheneau@it-sudparis.eu> Thu, 26 November 2009 08:53 UTC

Return-Path: <tony.cheneau@it-sudparis.eu>
X-Original-To: cga-ext@core3.amsl.com
Delivered-To: cga-ext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D4B933A6A6D for <cga-ext@core3.amsl.com>; Thu, 26 Nov 2009 00:53:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.249
X-Spam-Level:
X-Spam-Status: No, score=-2.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_FR=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TQWhvvB6p18v for <cga-ext@core3.amsl.com>; Thu, 26 Nov 2009 00:53:45 -0800 (PST)
Received: from smtp4.int-evry.fr (smtp4.int-evry.fr [157.159.10.71]) by core3.amsl.com (Postfix) with ESMTP id BC5573A6BA9 for <cga-ext@ietf.org>; Thu, 26 Nov 2009 00:53:44 -0800 (PST)
Received: from smtp2.int-evry.fr (smtp2.int-evry.fr [157.159.10.45]) by smtp4.int-evry.fr (Postfix) with ESMTP id 19071FE1BEF; Thu, 26 Nov 2009 09:53:39 +0100 (CET)
Received: from smtp-ext.int-evry.fr (smtp-ext.int-evry.fr [157.159.11.17]) by smtp2.int-evry.fr (Postfix) with ESMTP id C56504055D8; Thu, 26 Nov 2009 09:53:32 +0100 (CET)
Received: from pat4661.micro.int-evry.fr (unknown [157.159.103.112]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp-ext.int-evry.fr (Postfix) with ESMTP id 3638290103; Thu, 26 Nov 2009 09:53:32 +0100 (CET)
Date: Thu, 26 Nov 2009 09:53:46 +0100 (CET)
From: Tony Cheneau <tony.cheneau@it-sudparis.eu>
X-X-Sender: shad@whitebox
To: "Laganier, Julien" <julienl@qualcomm.com>
In-Reply-To: <BF345F63074F8040B58C00A186FCA57F1C65FB2A51@NALASEXMB04.na.qualcomm.com>
Message-ID: <alpine.LNX.2.00.0911260951580.7596@whitebox>
References: <alpine.LNX.2.00.0911191100150.7833@whitebox> <BF345F63074F8040B58C00A186FCA57F1C66087842@NALASEXMB04.na.qualcomm.com> <alpine.LNX.2.00.0911201144010.7546@whitebox> <BF345F63074F8040B58C00A186FCA57F1C65FB277D@NALASEXMB04.na.qualcomm.com> <alpine.LNX.2.00.0911211025090.11248@localhost.localdomain> <BF345F63074F8040B58C00A186FCA57F1C65FB2942@NALASEXMB04.na.qualcomm.com> <alpine.LNX.2.00.0911242317130.11124@localhost.localdomain> <BF345F63074F8040B58C00A186FCA57F1C65FB2A51@NALASEXMB04.na.qualcomm.com>
User-Agent: Alpine 2.00 (LNX 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-INT-MailScanner-Information: Please contact the ISP for more information
X-INT-MailScanner-ID: C56504055D8.A860A
X-INT-MailScanner: Found to be clean
X-INT-MailScanner-SpamCheck: n'est pas un polluriel, SpamAssassin (not cached, score=-4.399, requis 6.01, autolearn=not spam, ALL_TRUSTED -1.80, BAYES_00 -2.60)
X-INT-MailScanner-From: tony.cheneau@it-sudparis.eu
Cc: "draft-ietf-csi-proxy-send@tools.ietf.org" <draft-ietf-csi-proxy-send@tools.ietf.org>, "cga-ext@ietf.org" <cga-ext@ietf.org>
Subject: Re: [CGA-EXT] Comments on draft-ietf-csi-proxy-send-01
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Nov 2009 08:53:45 -0000

Hi Julien,

> All right Tony, then I assume we want to have the fe80::/64 prefix present in the certificate when proxying of link local addresses is required (e.g., RFC 4389, RFC 5213.) Do you think we have to include additional text in the draft to reflect that? If yes, any suggestion?

I think some text may be needed to clarify the issue (which is new and 
related to the Secure ND proxy).
Maybe a new section, right after 6.2, named "Handling of Link-Local
Addresses". Containing:

"Secure Neighbor Discovery [RFC3971] relies on certificate to 
prove that routers are authorized to announce a certain prefix.
However, Neighbor Discovery [RFC4861] states that router does not
announce the Link-Local prefix (fe80::/64). Hence, it is unusual for a
SEND certificate to hold a X.509 IP address extensions that authorizes
the fe80::/64 prefix. Some scenario ([RFC4389], [RFC5213], etc) imposes
that the Secure ND proxy provides proxying function for the Link-Local
address of a node. When Secure ND proxy functionality on a Link-Local
address is required, either the address or the Link-Local prefix MUST
be explicitly authorized in routers certificate."

What do you think of it ?

Regards,
 	Tony