IETF Logo Mail Archive

Re: [dhcwg] preliminary comments on draft-ietf-dhc-sedhcpv6-17

神明達哉 <jinmei@wide.ad.jp> Mon, 14 November 2016 17:24 UTC

Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3390C129521 for <dhcwg@ietfa.amsl.com>; Mon, 14 Nov 2016 09:24:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.4
X-Spam-Level:
X-Spam-Status: No, score=-2.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z2QIh-i1FYTu for <dhcwg@ietfa.amsl.com>; Mon, 14 Nov 2016 09:24:23 -0800 (PST)
Received: from mail-qt0-x22a.google.com (mail-qt0-x22a.google.com [IPv6:2607:f8b0:400d:c0d::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 54CFE129473 for <dhcwg@ietf.org>; Mon, 14 Nov 2016 09:24:23 -0800 (PST)
Received: by mail-qt0-x22a.google.com with SMTP id p16so51308162qta.0 for <dhcwg@ietf.org>; Mon, 14 Nov 2016 09:24:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=4W11UfgwkMIaI7UpEMECM0Tpv9FiBRWsmbOX1Il9sy8=; b=pncQ/+sZH+DsWjMx29St5VBm9oxJS+iVmVSgOmt1CvxDrZ5/5aQpDYS+u7C6F/p004 QXVRbjTAfQ4MEIHOBGey307pLF25lzAMUG/XaCa9j+hNFtC3H84jyknoYSwvtDD3noH8 8XJQAReQi3/qjYc8hh99Djqlu5jaKjIO8RUpxwQ+jOmv0FemRZeprmicLg15qAJLv0Wf LbL2SgE6DQfJ7bLxRnb4X2YdTDRSaWJ/m7Mh8msFIQQo/KkU19pifchARuxDS//39vqw R3QoIVL/8BGyefTvCMzOVozcNI619hBFCqnJRFXQQHN1ya+RZrN2Lct2Ipw98uEGbhhO kmdw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=4W11UfgwkMIaI7UpEMECM0Tpv9FiBRWsmbOX1Il9sy8=; b=KRwUIYZGirKBwTaINtHQqHuKOApWOQdhTj34I2n615v/jJyZEgh6/RNgvpbRGUOtPU MlFDH6e4H04XqiRt1Yk9MWu38cj5pWoNr+deL40BaHNHjAMu45j1OrfeXEMJ2weHsWnR SS3na+Q4LpambgZ4o7DbBBxpnRafGotnimOoUTWFxItbdRE7HXGteepGVjKt43FMUiRN vDxYH05qfldlOKiIP4PPbMp3SoXARgxs9lKdK16ypGVlfIqwx+TfwsniNnQMtyhw+gM0 UsuThe/vDrC9nEcmuAl4TpXgyFZe7cg1EABHz5JEb2QIBNqDQ2RXAOVf/ot9WEoGWo08 gvrA==
X-Gm-Message-State: ABUngvfZaOhLaxNUzhgvr1uT9QxF237Src7iV70ujzKMyz0zjwHRfnZsgUefTMUBij1aahzgrdemdekhr+Ac/Q==
X-Received: by 10.200.39.83 with SMTP id h19mr7426479qth.290.1479144262312; Mon, 14 Nov 2016 09:24:22 -0800 (PST)
MIME-Version: 1.0
Sender: jinmei.tatuya@gmail.com
Received: by 10.237.53.155 with HTTP; Mon, 14 Nov 2016 09:24:21 -0800 (PST)
In-Reply-To: <CAJ3w4NekPk0TuAZW_jmTDYQHd8JP3GsrA0qrKYrnyqSSk3qwxw@mail.gmail.com>
References: <CAJE_bqebwr2WUUgaNgiYS4_8L77Gxj4Os+oPRG407B6ELMEhCQ@mail.gmail.com> <CAJ3w4Ndi5Gq63n5kZnanRhLM8nWE2wsWGh0kJJLJnq=VoXLuCg@mail.gmail.com> <CAJE_bqegh1DfWjfK2BxeC_fWa0cEk-KJNP0AT-TQuEa39w_wVQ@mail.gmail.com> <CAJ3w4NdM99nv4C19Xj=aosNme+_Ymyys=xQ3UWUfeZReZC4ckA@mail.gmail.com> <CAJE_bqdhGZnK16MooiyujDgthDNnR74EiwW0OevrN6uq4b4ANw@mail.gmail.com> <CAJE_bqfKUZe2yaW1sAq7rrib0M7wz28HHtPLqCHK=vXcN6amgg@mail.gmail.com> <CAJ3w4Nd3s+ZojjiotLkKwys6truhUgK6F-90UYjcpB9iw=fKKQ@mail.gmail.com> <m2r36nuqvn.wl%jinmei.tatuya@gmail.com> <CAJ3w4NeuNYTrX4p5rtZ6UceD5ydQ-B-vY6aqQzxWnXsrDOEFEA@mail.gmail.com> <CAJE_bqdh-bgk7BHZJnaFFBr3PDj4ZnSSGeGNdQ70F7dv91iQrA@mail.gmail.com> <CAJ3w4NfU9PrC9a+MGnJ=Es1yir_asHB3p1=9GfxZZ0iSe+At+Q@mail.gmail.com> <CAJE_bqfRBYkrniWQ+vtPULTURnvyV792QNGvr8JhhZpGQ0MSdA@mail.gmail.com> <CAJ3w4NerRzHYsRqcUAkAjHX23PYVF4Jv0wKcd33vXRRg+-0EAQ@mail.gmail.com> <CAJ3w4NekPk0TuAZW_jmTDYQHd8JP3GsrA0qrKYrnyqSSk3qwxw@mail.gmail.com>
From: 神明達哉 <jinmei@wide.ad.jp>
Date: Mon, 14 Nov 2016 09:24:21 -0800
X-Google-Sender-Auth: hXQKpSIgK9saFNLEAaNWjVlnrKk
Message-ID: <CAJE_bqc8hkrc3dYefTPWi-mUCtZD+oYsrobCK1KjmVGRnNfMCw@mail.gmail.com>
To: Lishan Li <lilishan48@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/AifEIQ_BV-Dc-WhW5n7-eX6GP_o>
Cc: "dhcwg@ietf.org" <dhcwg@ietf.org>
Subject: Re: [dhcwg] preliminary comments on draft-ietf-dhc-sedhcpv6-17
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Nov 2016 17:24:25 -0000

At Tue, 15 Nov 2016 00:16:41 +0800,
Lishan Li <lilishan48@gmail.com> wrote:

> >> Alternatively, we might add both an EA-id and SA-id fields to the
> >> option:
> >>
> >>     0                   1                   2                   3
> >>     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
> >>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> >>    |      OPTION_CERTIFICATE       |         option-len            |
> >>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> >>    |            EA-id              |            SA-id              |
> >>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> >>    |                                                               |
> >>    .                  Certificate List(variable length)            .
> >>    |                                                               |
> >>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> >> (I'm not sure if this has to be a list of certificates instead of one
> >> certificate, but that's a different question).
> >
> >
> >> And we can use a value of 0 for EA-id and SA-id to mean this
> >> certificate is not supposed to be used for encryption and signature,
> >> respectively.  (The combination of 0, 0 makes no sense so we should
> >> probably prohibit the use of it explicitly).
> >>
> > [LS]: So, there is no need to define a new field. The EA-id and SA-id are
> > used to identify the certificate type.

If you use this approach, correct.  Note, however, that I'm not
necessarily pushing a particular approach at this time.  I'm just
showing various possible approaches for discussion.  You may want to
consider pros and cons of these approaches yourself.

> > And the certificate list field should be changed to certificate field. If
> > multiple
> > certificates are contained, then multiple certificate option is contained.

Regarding this, I'm not sure.  Basically the choice of EA-id and SA-id
should be fixed (it should be the most preferred one for the server,
and it's known that the client supports it), so the question is
whether we want to make it possible to include multiple different
certificates for that combination of EA and SA.  That sounds to me
like an unlikely scenario in practice, although being flexible/generic
itself is not necessarily bad.

> [LS]: In this way, the certificate option and Signature option all contain
> the SA-id field. And the content of the two SA-ids are same.

Yes (otherwise the recipient should treat it as an error condition).

BTW this makes me notice one related issue: it doesn't seem to be
possible for a server to identify the private key to decrypt the
message contained in an Encrypted-message Option contained in the
Encrypted-Query message unless it tries all private keys it might be
used.

--
jinmei

v2.23.0 | Report a Bug | By Email