IETF Logo Mail Archive

Re: [dhcwg] preliminary comments on draft-ietf-dhc-sedhcpv6-17

神明達哉 <jinmei@wide.ad.jp> Tue, 15 November 2016 18:01 UTC

Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45FBE128DF6 for <dhcwg@ietfa.amsl.com>; Tue, 15 Nov 2016 10:01:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.4
X-Spam-Level:
X-Spam-Status: No, score=-2.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z7JZOMYOUaFE for <dhcwg@ietfa.amsl.com>; Tue, 15 Nov 2016 10:01:17 -0800 (PST)
Received: from mail-qk0-x234.google.com (mail-qk0-x234.google.com [IPv6:2607:f8b0:400d:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8AB63129408 for <dhcwg@ietf.org>; Tue, 15 Nov 2016 10:01:17 -0800 (PST)
Received: by mail-qk0-x234.google.com with SMTP id q130so145145887qke.1 for <dhcwg@ietf.org>; Tue, 15 Nov 2016 10:01:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=UvrDLe0DFfmKgePXtwcuQhHIwcG0jzxUqtj+DOXg158=; b=CLd3Zv6evBDY5+g4g6OpzNVWBMHaa8g/t3Na6edt4aN3saWbPgX9mzXqkuEbcav2re XHTOJcaeFp3+mDLPQw7c+y4ujFMZf+skv8URSYX99XTVSZTeb3TiX30Nr6MZS3LOGfUJ xYbTkE1dpZCbZ9uLPp2H+aHWcAOBqkPxiLSiU/WtNXwVHMQXI85MxL5rGIdevvyN7VMX 24oXmTQCYDbig3v8o6J+zPsZsidPFfVrbzDSdF2KjcdATgLG2qdcZwOSaAzenV62OvtH BKsuUIz/454mOo0d45N+aSSigMZPAzhtV5XjPVEo5RzmtRTYqDmvNHfh63Oy5Vt7Fcvc NGUQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=UvrDLe0DFfmKgePXtwcuQhHIwcG0jzxUqtj+DOXg158=; b=k07s0v/d+J6ixdMtTiqnDSAhsBlSIXykdIgnlsPyey0u1958vBQPUrZQXPDcAMQEre fXvMqeOW+xi20QNuDDnhV7qqvZppCZSlDHU8m/7o5kqjrDrMntDhKbWmqX1ZxKc3vGea hAFj4D4dcJsUO8XldyUj3qFB5q44ftxdMtG+CCPp3EXCqJNP9knlnzJ40xP/yDpfv9Z3 zIpQ1K/NAZOzf7ro8PLAjmUjzrYp72BJbzG062Nr9muSf6P7HdRcwh23SXG9wbosqGYD NTM36HXb7wCpmHKNH4g6Ek3/yZBJpiA7d4cMtm3bXN5V4NThiVgC/0etBSrfEhcUQAMz 7DCA==
X-Gm-Message-State: ABUngvcSuGHMw0BXUGsWB5/XW8JQIdVKJWAEcuQjIVHayDruso84WjpEDezdavRvAD3JRXCegQihfBnwgXsJyw==
X-Received: by 10.55.161.21 with SMTP id k21mr24056544qke.149.1479232876676; Tue, 15 Nov 2016 10:01:16 -0800 (PST)
MIME-Version: 1.0
Sender: jinmei.tatuya@gmail.com
Received: by 10.237.53.155 with HTTP; Tue, 15 Nov 2016 10:01:15 -0800 (PST)
In-Reply-To: <CAJ3w4NejrFAT3RK7i0W46HkQNJjhPxbhzQiL=3fcrceidTzHNQ@mail.gmail.com>
References: <CAJE_bqebwr2WUUgaNgiYS4_8L77Gxj4Os+oPRG407B6ELMEhCQ@mail.gmail.com> <CAJ3w4Ndi5Gq63n5kZnanRhLM8nWE2wsWGh0kJJLJnq=VoXLuCg@mail.gmail.com> <CAJE_bqegh1DfWjfK2BxeC_fWa0cEk-KJNP0AT-TQuEa39w_wVQ@mail.gmail.com> <CAJ3w4NdM99nv4C19Xj=aosNme+_Ymyys=xQ3UWUfeZReZC4ckA@mail.gmail.com> <CAJE_bqdhGZnK16MooiyujDgthDNnR74EiwW0OevrN6uq4b4ANw@mail.gmail.com> <CAJE_bqfKUZe2yaW1sAq7rrib0M7wz28HHtPLqCHK=vXcN6amgg@mail.gmail.com> <CAJ3w4Nd3s+ZojjiotLkKwys6truhUgK6F-90UYjcpB9iw=fKKQ@mail.gmail.com> <m2r36nuqvn.wl%jinmei.tatuya@gmail.com> <CAJ3w4NeuNYTrX4p5rtZ6UceD5ydQ-B-vY6aqQzxWnXsrDOEFEA@mail.gmail.com> <CAJE_bqdh-bgk7BHZJnaFFBr3PDj4ZnSSGeGNdQ70F7dv91iQrA@mail.gmail.com> <CAJ3w4NfU9PrC9a+MGnJ=Es1yir_asHB3p1=9GfxZZ0iSe+At+Q@mail.gmail.com> <CAJE_bqfRBYkrniWQ+vtPULTURnvyV792QNGvr8JhhZpGQ0MSdA@mail.gmail.com> <CAJ3w4NerRzHYsRqcUAkAjHX23PYVF4Jv0wKcd33vXRRg+-0EAQ@mail.gmail.com> <CAJ3w4NekPk0TuAZW_jmTDYQHd8JP3GsrA0qrKYrnyqSSk3qwxw@mail.gmail.com> <CAJE_bqc8hkrc3dYefTPWi-mUCtZD+oYsrobCK1KjmVGRnNfMCw@mail.gmail.com> <CAJ3w4NejrFAT3RK7i0W46HkQNJjhPxbhzQiL=3fcrceidTzHNQ@mail.gmail.com>
From: 神明達哉 <jinmei@wide.ad.jp>
Date: Tue, 15 Nov 2016 10:01:15 -0800
X-Google-Sender-Auth: MENr25oGQ3jBrTmhDqUAEcZk0QI
Message-ID: <CAJE_bqcCwZWPHuZ0UR8_jyCUsaTrYKzLD8zUKwChYaCL06yT9A@mail.gmail.com>
To: Lishan Li <lilishan48@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/AY7kvcVJoMLpAfuf3jckzRUEvAE>
Cc: "dhcwg@ietf.org" <dhcwg@ietf.org>
Subject: Re: [dhcwg] preliminary comments on draft-ietf-dhc-sedhcpv6-17
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Nov 2016 18:01:19 -0000

At Tue, 15 Nov 2016 15:27:46 +0800,
Lishan Li <lilishan48@gmail.com> wrote:

> > BTW this makes me notice one related issue: it doesn't seem to be
> > possible for a server to identify the private key to decrypt the
> > message contained in an Encrypted-message Option contained in the
> > Encrypted-Query message unless it tries all private keys it might be
> > used.
> >
> [LS]: The private key which is corresponding to the public key for
> encryption
> algorithm is used for decryption. After sending the Reply message, the
> message
> transaction-id is used as the identifier of the private key for decryption.

Can you be more specific about this?  For example, assume the client
tries to send a Solicit message encrypting it with a server's public
key (and assume the server supports multiple algorithms and multiple
key pairs).  The encrypted solicit message that the server receives
would look like this:

msg-type: Encrypted-Query
transaction-id: some random number the client generates on building
  the Encrypted-Query (per Section 15.1 of RFC3315 or 16.1 of
  rfc3315bis-06).
options:
  Encrypted-message option:
    option-code: OPTION_ENCRYPTED_MSG
    option-len: set appropriately
    encrypted DHCPv6 message: opaque data to be decrypted

Do you mean the server can use the transaction-id included in the
Encrypted-Query message to identify the algorithm and the private key
to decrypt "encrypted DHCPv6 message"?  If so, specifically how?  As
noted above the transaction-id value is chosen by the client at the
time of generating this message and the server cannot know or
(easily) predict it in advance.

--
JINMEI, Tatuya

v2.23.0 | Report a Bug | By Email