Re: [dhcwg] Fw:New Version Notification for draft-cui-dhc-dhcpv6-encryption-00.txt
神明達哉 <jinmei@wide.ad.jp> Fri, 10 July 2015 18:08 UTC
Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDFBE1B2A1B for <dhcwg@ietfa.amsl.com>; Fri, 10 Jul 2015 11:08:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.978
X-Spam-Level:
X-Spam-Status: No, score=-0.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QEbuSejhrlel for <dhcwg@ietfa.amsl.com>; Fri, 10 Jul 2015 11:08:23 -0700 (PDT)
Received: from mail-yk0-x22c.google.com (mail-yk0-x22c.google.com [IPv6:2607:f8b0:4002:c07::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A92B31ACE37 for <dhcwg@ietf.org>; Fri, 10 Jul 2015 11:08:23 -0700 (PDT)
Received: by ykeo3 with SMTP id o3so148937646yke.0 for <dhcwg@ietf.org>; Fri, 10 Jul 2015 11:08:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=UXGL0pJd42ZnNz0DWvPpxtYMRJE/js8J0OPhEDXeLzs=; b=WpJOV6lYnw0obFH+zGwD9w2KEP+YjflcouI7fwNYGgg8EkMl4S8zwxIVysQtMGkn8+ Ls0xnUef3Da8ql2wcuE/AE5PK2zpdBKf06aRKqmlIQtQ/IQcGGKZp1SviGoKVxwNc0cr pl9p7407b5umBJmX+Nv81LxR57aFeEOWtfA5ja6gB1+oSM5QE7UGxCzTa8xlOkg6bFjY nj8xgFmS99m+InZb1OLpNHCQucXaKlLd+Vayzcmyjlv8JFQgJnXfDg2EAo6DnQAW3DXc DZW2tbmAHamTGHXFbaxrIVIPUKNsiF5Jp7pAq0/2osUAPqVFQ75L1+ZXjkeaIvl4lykB wT1g==
MIME-Version: 1.0
X-Received: by 10.13.228.194 with SMTP id n185mr4607937ywe.165.1436551703079; Fri, 10 Jul 2015 11:08:23 -0700 (PDT)
Sender: jinmei.tatuya@gmail.com
Received: by 10.37.48.131 with HTTP; Fri, 10 Jul 2015 11:08:23 -0700 (PDT)
In-Reply-To: <639aa3c9.1158f.14dbe76fb5e.Coremail.lilishan48@126.com>
References: <639aa3c9.1158f.14dbe76fb5e.Coremail.lilishan48@126.com>
Date: Fri, 10 Jul 2015 11:08:23 -0700
X-Google-Sender-Auth: TNVB5K-zP418yNwQulwKpW60wGA
Message-ID: <CAJE_bqc+dqM3TgdHvHgB3ZocMGGnMkMpapKm7k9fW=mUTzgn3A@mail.gmail.com>
From: 神明達哉 <jinmei@wide.ad.jp>
To: Lishan Li <lilishan48@126.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dhcwg/-LKarUgnCXXVdERQHEnnFFSh3-s>
Cc: "dhcwg@ietf.org" <dhcwg@ietf.org>
Subject: Re: [dhcwg] Fw:New Version Notification for draft-cui-dhc-dhcpv6-encryption-00.txt
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2015 18:08:24 -0000
On Thu, Jun 4, 2015 at 5:06 AM, Lishan Li <lilishan48@126.com> wrote: > We have submitted a new draft about DHCPv6 Authentication and Encryption > mechanism. > This document discusses two possible solutions to achieve the authentication > and encryption between DHCPv6 server and client. One solution needs to be > selected to solve the DHCPv6 privacy problem. We are not sure which one the > WG would prefer. > Could you please review the draft and any comments are welcome. I don't have a strong opinion either way, but since "Solution B" would require a substantial change to the original protocol anyway (as described in Section 4.4), "Solution A" seems a bit better. Some other random thoughts: - Especially if we use "Solution A", wouldn't it be better to use a symmetric key after authentication, rather than keep using public/private keys? For a client that may not matter much, but for a busy server the performance overhead difference might be substantial. - And, to this end, would it be feasible to use a separate encryption mechanism such as DTLS rather than introducing a built-in mechanism for DHCP(v6)? (In case of DTLS we should at least consider how to handle multicast traffic, though). - If (one of) the main purpose for encryption is to hide clients' identity, we'll probably also need to consider the identify disclosure via the certificate or public key. - The draft seems to (implicitly?) assume this encryption will be used for stateful DHCPv6 sessions starting with a SOLICIT message. Would it also be expected to be used for stateless sessions beginning with INFORMATION-REQUEST? -- JINMEI, Tatuya