Re: [CGA-EXT] Comments on draft-ietf-csi-proxy-send-01

Jean-Michel Combes <jeanmichel.combes@gmail.com> Fri, 20 November 2009 16:19 UTC

Return-Path: <jeanmichel.combes@gmail.com>
X-Original-To: cga-ext@core3.amsl.com
Delivered-To: cga-ext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8E00F3A696A for <cga-ext@core3.amsl.com>; Fri, 20 Nov 2009 08:19:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.399
X-Spam-Level:
X-Spam-Status: No, score=-2.399 tagged_above=-999 required=5 tests=[AWL=0.200, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SsAL7W3B0ltz for <cga-ext@core3.amsl.com>; Fri, 20 Nov 2009 08:19:35 -0800 (PST)
Received: from mail-iw0-f186.google.com (mail-iw0-f186.google.com [209.85.223.186]) by core3.amsl.com (Postfix) with ESMTP id 6FD053A693B for <cga-ext@ietf.org>; Fri, 20 Nov 2009 08:19:35 -0800 (PST)
Received: by iwn16 with SMTP id 16so2634235iwn.29 for <cga-ext@ietf.org>; Fri, 20 Nov 2009 08:19:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=yMMPwOLFHyiXX0Mj/m0T4xWKLTNFMtRL4SDwpn5cItg=; b=SWg22YvZ6mdhLUfR49Jyv6+n6OnkhLXI2sEn8lEKdm19dlsJaBhQyPqVdrY7BCR26H WC3ZQ343d+QFgLDlYDzJWdUtYwoqoO0E4N0dhMJi7d0JoLVdX+fh1/Zr6RUBCkvuaNAB HPW2PTluM3KcMhtvgOSXqzfwv8SwQyH45ldvY=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=MYMAVCsKCq3XDOzRIgvuU2IevL6ZSveE8TpcxDm3M1t2AvunD1JMTGpV6UzSYLZkxz MkAIxZnYz3QksikJff8XmrPTSoRVb0GsRHnA6F0dpQShZRwXxGuA83Igt6NDvEvrCXXV o7bWiyUyZ3ocbrwmhhZp00DJua6t88GAxZb/g=
MIME-Version: 1.0
Received: by 10.231.40.216 with SMTP id l24mr3253301ibe.40.1258733970432; Fri, 20 Nov 2009 08:19:30 -0800 (PST)
In-Reply-To: <alpine.LNX.2.00.0911201144010.7546@whitebox>
References: <alpine.LNX.2.00.0911191100150.7833@whitebox> <BF345F63074F8040B58C00A186FCA57F1C66087842@NALASEXMB04.na.qualcomm.com> <alpine.LNX.2.00.0911201144010.7546@whitebox>
Date: Fri, 20 Nov 2009 17:19:30 +0100
Message-ID: <729b68be0911200819o39a9dd66jf5b888f05d2ab7df@mail.gmail.com>
From: Jean-Michel Combes <jeanmichel.combes@gmail.com>
To: Tony Cheneau <tony.cheneau@it-sudparis.eu>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: "draft-ietf-csi-proxy-send@tools.ietf.org" <draft-ietf-csi-proxy-send@tools.ietf.org>, "Laganier, Julien" <julienl@qualcomm.com>, "cga-ext@ietf.org" <cga-ext@ietf.org>
Subject: Re: [CGA-EXT] Comments on draft-ietf-csi-proxy-send-01
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Nov 2009 16:19:36 -0000

Hi Tony,

2009/11/20 Tony Cheneau <tony.cheneau@it-sudparis.eu>eu>:
> Hi Julien,
>
> Comments inline:
>
> On Thu, 19 Nov 2009, Laganier, Julien wrote:
>
>> Hi Tony,
>>
>> Thanks for reviewing the draft!
>>

<snip>

> Another question that comes to my mind just now, and that may need
> clarification in your document is:
> Is your solution able to provide Secure Proxy ND for the fe80::/64
> prefix ? I mean, a router does not announce this prefix as it not a
> routable one. Then, there will be no CPS/CPA exchange for this prefix,
> meaning no certificate exchange.  What is the processing of a host
> receiving a ND message toward a fe80::/64 address signed with a Proxy
> Signature Option ?  How can he learn the certificate of the Secure Proxy
> ND ? This should be addressed as it is a use case of RFC 4389 (I think).
>

IMHO, securing ND Proxy for fe80::/64 case is out of scope.
AFAIK (e.g. on FreeBSD, Debian), there is no proxied DAD process for
fe80::/64 based address in a multilink scenario because a router is
able to uniquely differentiate two nodes having the same Link Local
address on two different links: that's why when you want to ping one
node using its Link Local address from a router you have to specify
the interface of the router connected to the node also.

Cheers.

JMC.



> Feel free to ask if I'm not clear enough and you need clarifications.
>
> Best regards,
>        Tony
>
>
> _______________________________________________
> CGA-EXT mailing list
> CGA-EXT@ietf.org
> https://www.ietf.org/mailman/listinfo/cga-ext
>