Re: [dhcwg] comments on draft-ietf-dhc-sedhcpv6-10.txt
神明達哉 <jinmei@wide.ad.jp> Thu, 25 February 2016 17:53 UTC
Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A4A81B2F0E; Thu, 25 Feb 2016 09:53:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.978
X-Spam-Level:
X-Spam-Status: No, score=-0.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id do3RSE2mugaQ; Thu, 25 Feb 2016 09:53:30 -0800 (PST)
Received: from mail-ig0-x233.google.com (mail-ig0-x233.google.com [IPv6:2607:f8b0:4001:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D3401B2EFF; Thu, 25 Feb 2016 09:53:30 -0800 (PST)
Received: by mail-ig0-x233.google.com with SMTP id hb3so18338468igb.0; Thu, 25 Feb 2016 09:53:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc; bh=PEbmYWNVhqCBhD4XIO1Mvqoai2hFoqGFdGjcw7qp/TI=; b=vPyEVrrSRCvZomZ4zlkylflBFSqf7csSOZJ+wSLygTCiVnpA5aX88Dieh+tQ9ee9A1 346tFieQBAApddIXT++SliO1NgRIX9uveifXamSS5SGr6+kBmCij/X7Aqxon5/40ItYM ICzr+FJKTRfxejyaJleJTxc+DDTG07H6SjrPgzeFSz+HiZVqBTTkxOCMqPq/YoSqDW+q piVV2Ph19n5F8SQHcFopk1Mnnuu3YObT7pn1Ak9sebQc6Zn9U0nq8x/vbaCJGyrg9Fp9 hE9nu8AnqqA5O6HS4/1cPiWd1AGG5aOGuf0KJlKizeVwEYa8/klu+7cozv1NsRDFI+De eosw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc; bh=PEbmYWNVhqCBhD4XIO1Mvqoai2hFoqGFdGjcw7qp/TI=; b=ZAWZf583xzfT96k/q4LVMSaxjxOOb98Dh9w+36s8cOTghY9/EYwjA2AiqR1EyqP+0e d08JJh520wK0nOv7FUJG4OdbWD2VwboMmZi2XqDCgXB4IneBfvqv1OTUXzAxTPD+ouME JK5W+k1wmcskMKGHQe6xKWUZvVET2FNOmunEbrPZjn6zKFpfqaXWeNsWpcpbdzOti9Nj miVGt9aFU0tX9jVROUnwz3ZpEsGi1iss+ECoa5ZGrKaCkZsI5EcTZSWzBX0oZtdQf/8Z mTBVUlUwSh2Dmz32NOCHCYqZkhsPzQ7RsfL/nRmoiC9E3aKpID7YkTpm8Aeb2GLHKRIm FQ2g==
X-Gm-Message-State: AG10YORptUCHedCzT+l+tioVcceUyRBRmwHZoUtUcKn1kkwaLzYWwuT8haGgEW9ZEVDZqDQYJgZp855Gp6ZBXg==
MIME-Version: 1.0
X-Received: by 10.50.150.106 with SMTP id uh10mr3267834igb.41.1456422809470; Thu, 25 Feb 2016 09:53:29 -0800 (PST)
Sender: jinmei.tatuya@gmail.com
Received: by 10.107.169.35 with HTTP; Thu, 25 Feb 2016 09:53:29 -0800 (PST)
In-Reply-To: <CAJ3w4Nd+PbmQ3+fXGgMZHrh3NNejZmBaV0ytECjRc5KJ57HzPw@mail.gmail.com>
References: <CAJE_bqdZTc57BGzVq8-EaOa7kT2ME9_3bXNKFr0WGk_MzLNOBQ@mail.gmail.com> <CAJ3w4NermaJtDzf3V4+WQcpJ5kEdWX6RQ9CyWiFmOmKw8+QZSQ@mail.gmail.com> <CAJE_bqc+1=CT66f88tB_DbavBmvnnYcK3a+LR_OwUWu_O-WnVw@mail.gmail.com> <CAJ3w4Ne8rU-cnvNqeM0x0PFw+mAD-TEmyegOJDgQuCiccFY2hg@mail.gmail.com> <CAJE_bqdBqjSG0UnGuKfjtQMB-Rp81pU7n_+Eq_Fb=yar+673hA@mail.gmail.com> <CAJ3w4NcmG18puJpzPFFvn4U8P7eQwh2WeMvcvH+UJHNPQd_BRw@mail.gmail.com> <CAJE_bqc9JHcUGCGW9VSPrHTBUe4tKowh9OHVbUA1qWwanWyYBg@mail.gmail.com> <CAJ3w4Nd+PbmQ3+fXGgMZHrh3NNejZmBaV0ytECjRc5KJ57HzPw@mail.gmail.com>
Date: Thu, 25 Feb 2016 09:53:29 -0800
X-Google-Sender-Auth: fw7WbAReCJTE-Mf9vYCk9tocKWo
Message-ID: <CAJE_bqdH_0G+2RWz8H4k8qsgK3iSHrzKnMG+jP-Kjp7Ka5rtjw@mail.gmail.com>
From: 神明達哉 <jinmei@wide.ad.jp>
To: Lishan Li <lilishan48@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dhcwg/LExAieUjekIJWRy8I8wuIdSbiYA>
Cc: "dhcwg@ietf.org" <dhcwg@ietf.org>, draft-ietf-dhc-sedhcpv6@ietf.org
Subject: Re: [dhcwg] comments on draft-ietf-dhc-sedhcpv6-10.txt
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Feb 2016 17:53:31 -0000
At Thu, 25 Feb 2016 20:45:16 +0800, Lishan Li <lilishan48@gmail.com> wrote: > > Okay. So focusing on the Reply message (#2): my point was: > > > > - in effect, its only content is the certificate (or public key). > > - the recipient is already expected to validate this only content > > directly (by comparing it with locally pre-configured info, by using > > a PKI, etc), so we do not necessarily need to provide additional > > integrity protection for it by signing the message. > > - on the other hand, if we eliminate the signing and the signature > > option from this, we'll completely eliminate this option from the > > protocol. This will help make the protocol simpler and reduce > > development costs. > > > > If you still disagree, perhaps it helps if you can show a specific > > attack vector because of the lack of the signature. > > > > [LS]: Agree. But if we don't need the signature option, then the timestamp > option makes no sense, which is used to defend against anti-replay > attack before. For #2, correct. We'll still need the timestamp option, though, for the anti-reply protection of encrypted messages. (We might be able to make it simpler such as a trivial sequence number, exploiting the fact that the message is encrypted. In that sense, it may not have to be a "time stamp"). > > > Right, but this argument also holds even if we have TOFU... [...] > > > > [LS]: In consideration of the support of TOFU and the add of all such > > > discussions and consensus, the better way for us is to add the public key > > > option as the before secure DHCPv6 version. > > > Am I correct? > > > > No, I just didn't see why the public key option was removed (the > > explanation regarding TOFU didn't make sense to me). As I already > > said, I'm not necessarily opposed to removing it if there's a > > convincing reason that can outweigh its cons. > > > > [LS]: The self-signed certificate is the argument of the remove of the > public > key option. And we also need to supply some text to illustrate that it can > outweigh its cons. For the drawback of the method, the size of the DHCPv6 > message is increased when we actually only need the public key, not the > certificate. However, the size of the X.509 certificate is not very large, > such as 1KB, which will not cause IPv6 fragment and other problem. Repeating my previous point just to make it sure that we are on the same page: the argument that a self-signed certificate should make a public key option redundant isn't new in our recent changes. So I'd wonder why we are now bothering it. If this is a completely new attempt of cleanup, I suggest making it very clear (i.e., it has nothing to do with mandated encryption etc) and discussing it accordingly. -- JINMEI, Tatuya
- [dhcwg] comments on draft-ietf-dhc-sedhcpv6-10.txt 神明達哉
- Re: [dhcwg] comments on draft-ietf-dhc-sedhcpv6-1… Lishan Li
- Re: [dhcwg] comments on draft-ietf-dhc-sedhcpv6-1… 神明達哉
- Re: [dhcwg] comments on draft-ietf-dhc-sedhcpv6-1… 神明達哉
- Re: [dhcwg] comments on draft-ietf-dhc-sedhcpv6-1… Lishan Li
- Re: [dhcwg] comments on draft-ietf-dhc-sedhcpv6-1… 神明達哉
- Re: [dhcwg] comments on draft-ietf-dhc-sedhcpv6-1… Lishan Li
- Re: [dhcwg] comments on draft-ietf-dhc-sedhcpv6-1… 神明達哉
- Re: [dhcwg] comments on draft-ietf-dhc-sedhcpv6-1… Bernie Volz (volz)
- Re: [dhcwg] comments on draft-ietf-dhc-sedhcpv6-1… Lishan Li
- Re: [dhcwg] comments on draft-ietf-dhc-sedhcpv6-1… 神明達哉
- Re: [dhcwg] comments on draft-ietf-dhc-sedhcpv6-1… Lishan Li
- Re: [dhcwg] comments on draft-ietf-dhc-sedhcpv6-1… 神明達哉
- Re: [dhcwg] comments on draft-ietf-dhc-sedhcpv6-1… Lishan Li
- Re: [dhcwg] comments on draft-ietf-dhc-sedhcpv6-1… 神明達哉