[dhcwg] sedhcpv6 data size issue (Re: WGLC on draft-ietf-dhc-sedhcpv6-21 - Respond by March 29th)

神明達哉 <jinmei@wide.ad.jp> Thu, 20 April 2017 17:53 UTC

Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E51181294A6; Thu, 20 Apr 2017 10:53:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.7
X-Spam-Level:
X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O5XKDUiTJ-VN; Thu, 20 Apr 2017 10:53:24 -0700 (PDT)
Received: from mail-qt0-x22d.google.com (mail-qt0-x22d.google.com [IPv6:2607:f8b0:400d:c0d::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B256127F0E; Thu, 20 Apr 2017 10:53:24 -0700 (PDT)
Received: by mail-qt0-x22d.google.com with SMTP id y33so51681420qta.2; Thu, 20 Apr 2017 10:53:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:from:date:message-id:subject:to:cc; bh=n2okZI+1s6E+paDmWbBwk68t//YckIhoMhhIWv3xv10=; b=IC1wqD8WgVb1srVEP3XtJoUR/h1dRMadSwHCdeNBj973X9Q7nenb7LVqlfhd2Mydgq FA1EEDJaLN9UTmpup6K0N5cx4BO6pd5huKA9eieNsFCUJj5v85pRi1UabKDHlgA1k92f lcsy5UXg3GMeAL1x2BbzW43PTPkbE9YPHmejwds3AtPmsuh6ng7Ru1iMu4tIPTAoUPIw DK7CKFRQVilGQEnoMEqFA5od5EaGCqw7yIKolsaaktLHMt7oQSsMUggQrXRUA4TYkGAT 3O0WM6IaXSi5U1kh1z2voNquqduDQm3bo347/Dp7ieTL5Cf5LMOyY7waKsb2lEkamoFS FI4w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to:cc; bh=n2okZI+1s6E+paDmWbBwk68t//YckIhoMhhIWv3xv10=; b=f4HETQX6YQxg8C2oxXzGbkIPbWVGvTJwYIiz0LYNJJ/3b4/Y9ysK+quq/K6mJmdkBd vAxCl9vbnWZlPyMRC1ohA54KyqAAaZhNwyvLlneGQ6EKKcfa1zY9hJmJqiT5O5sp6x4O A/65TuKQ6HeHfUNpGQJVeOLyCO+1jh8govzdvFseVqap8IFEYQY2kEfkJ0hiDznwQfwH OP3Gfa+KUP3TkAqnFbWJUb0Ddbqp+/PX+z6tDbgRXbJPj07KMhAvxuIqaRtHVcuXIBXk T7xjCEspfjP0GEddljOX59sneKYsIawAonRSSkfRdCD5JsdyUpJ0gPvrKpEgY82BDoip wkvQ==
X-Gm-Message-State: AN3rC/6eZ6Q7s4VqVYmKN94evmfiEhqQGCjZl7AprXB8rAQ43sTpR3pF aZv5hn8kFMnMIOhdd/Qc4aCUNwqggw==
X-Received: by 10.200.36.212 with SMTP id t20mr10161697qtt.269.1492710803167; Thu, 20 Apr 2017 10:53:23 -0700 (PDT)
MIME-Version: 1.0
Sender: jinmei.tatuya@gmail.com
Received: by 10.237.60.208 with HTTP; Thu, 20 Apr 2017 10:53:22 -0700 (PDT)
From: =?UTF-8?B?56We5piO6YGU5ZOJ?= <jinmei@wide.ad.jp>
Date: Thu, 20 Apr 2017 10:53:22 -0700
X-Google-Sender-Auth: E3JdbT_qHYMun8Fa79vP40vGfMc
Message-ID: <CAJE_bqdJKbe7mSLNnk24-_ZACd_U6EGbjaFQ8v6xYy=nuPiUbw@mail.gmail.com>
To: Timothy Carlin <tjcarlin@iol.unh.edu>
Cc: dhcwg <dhcwg@ietf.org>, draft-ietf-dhc-sedhcpv6 authors <draft-ietf-dhc-sedhcpv6@ietf.org>
Content-Type: text/plain; charset=UTF-8
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/PHJAtYInrHMhAh5rm8pToi-vNC8>
Subject: [dhcwg] sedhcpv6 data size issue (Re: WGLC on draft-ietf-dhc-sedhcpv6-21 - Respond by March 29th)
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Apr 2017 17:53:26 -0000

At Wed, 5 Apr 2017 13:13:38 -0400,
Timothy Carlin <tjcarlin@iol.unh.edu> wrote:

> I'm also wondering about using RSA for encryption, as the data size (and
> thus message size) is limited to the key size that the client or server
> provides.  This could cause problems with large DHCP messages.  Could a
> symmetric key algorithm (e.g. AES) be used?  The keys for this would have
> to be negotiated during the initial Information-request/Reply.

I agree the data size limitation of RSA can be critical.  At least
data for the very initial Encrypted-Query message is quite unlikely to
be encrypted at once, since the data contains a certificate option
(which contains the client's public key).  Assuming a 2048-bit key, we
can only encrypt 256 - (overhead for padding etc) octets of data at
once.  I'm afraid this is too limited even for subsequent messages
that don't contain the certificate option.  One straightforward
workaround is to divide the data and encrypt each chunk separately,
but this may not be acceptable due to the cost, especially for the
server.  (Even if we adopt this approach I guess the current draft
text is too unclear about it and should be revised to describe
specifically how to do it).

I suspect using symmetric session keys can't be an (easy) option,
either.  At least I don't think we can do this negotiation in the
initial Information-Request/Reply exchange, since to do so the client
would have to include its certificate in the Information-Request
message but we intentionally avoid that due to a privacy concern.

In any case, I'm afraid this issue will require some substantial
changes to the specification.  Right now I don't have a clear idea
about what's the best.

--
JINMEI, Tatuya