Re: [dhcwg] DHCP hackathon in Prague: SeDHCPv6

Ted Lemon <mellon@fugue.com> Wed, 07 June 2017 22:26 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6936C12EB62 for <dhcwg@ietfa.amsl.com>; Wed, 7 Jun 2017 15:26:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r3oYT9oQTrQX for <dhcwg@ietfa.amsl.com>; Wed, 7 Jun 2017 15:26:33 -0700 (PDT)
Received: from mail-qt0-x232.google.com (mail-qt0-x232.google.com [IPv6:2607:f8b0:400d:c0d::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A04AE13148D for <dhcwg@ietf.org>; Wed, 7 Jun 2017 15:26:33 -0700 (PDT)
Received: by mail-qt0-x232.google.com with SMTP id c10so22889803qtd.1 for <dhcwg@ietf.org>; Wed, 07 Jun 2017 15:26:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=VV2mFPkP1ZZ9kye0S0LlxP4m8Krv/IhyK3fLJrip59E=; b=jgrorCRQHkcuDAoyvtsjsF/MGuh/vNh944ixCju07a7EbpwuggHcdmwXcx5e0D1D63 Z27EO0I2YLYsJhYxWIKumTgjjuN9fxk3LOqp5hbGOF7/iOVtzzXl9sJS54h/RJNIFi9F i0bSU2k3JIA/oOabLesxlALfE3o8/tygpM/khXhfjbK2F/vFe3t5xXXkq74Kmxmh1n45 WcFIbteS29WPSzMAs0amiN7CaeamIr3FkY+DxTESaoQ6GMcmhkmp1e+TeoVahtk0Zd4t I87ILZDGZO8FKOw/e4pStS3R8dVNXAON+uGq3Dk1k499r/489BEVOW29+pSWPQcTtUhe QBEw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=VV2mFPkP1ZZ9kye0S0LlxP4m8Krv/IhyK3fLJrip59E=; b=btO6o0aKoxAdLD5/pIGLz84IawHalx63kMEq3Agla7AM3Glt95BxjHSSfVgqeUJb9W WhtbToLaslVT58KXskOS5PQnJ/Zz9UcX9fzhJu3wd3VzND4vB/jJUtrOXgbVYZOs0/O/ hAVec5OrWwestWk9elg4hBkyAAbAkYrP9xuT5QHJjXrDr0QUCd9JMASumqtOFg3gJ6CJ NCf/+0OWSPoXfCcFmBZEQvLirv/EUKPxAStC8roNyASMOjjQg+nGnfLqhQNQ3mCVjFsV jfYziiiG8PubL7lXzP5bmZliouRODk9UWyx/5wxsJWmHwtWp1UcCPNqpiYAze5vsQEo2 eP6w==
X-Gm-Message-State: AODbwcAwYYejdbQI38mz7xhO4RYI7aEzoabNIq9q8vPHzj3Kx0XCk4+V 8WGKuJALVBYTeynH
X-Received: by 10.237.59.20 with SMTP id p20mr42650752qte.95.1496874392769; Wed, 07 Jun 2017 15:26:32 -0700 (PDT)
Received: from [10.0.30.228] (c-73-167-64-188.hsd1.ma.comcast.net. [73.167.64.188]) by smtp.gmail.com with ESMTPSA id p56sm1993264qta.18.2017.06.07.15.26.31 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 07 Jun 2017 15:26:31 -0700 (PDT)
From: Ted Lemon <mellon@fugue.com>
Message-Id: <32EF9515-3518-4D50-B718-B2B3A8839346@fugue.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_F4C6C152-D832-43E3-AA35-FC8FC650CC60"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Wed, 7 Jun 2017 18:26:30 -0400
In-Reply-To: <201706072158.v57LwB8K072713@givry.fdupont.fr>
Cc: =?utf-8?B?56We5piO6YGU5ZOJ?= <jinmei@wide.ad.jp>, dhcwg <dhcwg@ietf.org>
To: Francis Dupont <Francis.Dupont@fdupont.fr>
References: <201706072158.v57LwB8K072713@givry.fdupont.fr>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/SBWg6KuKuLdkBZ-BDsZqnx4bPlM>
Subject: Re: [dhcwg] DHCP hackathon in Prague: SeDHCPv6
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jun 2017 22:26:40 -0000

On Jun 7, 2017, at 5:58 PM, Francis Dupont <Francis.Dupont@fdupont.fr> wrote:
> => the theory of IPsec operations is very simple: you have two databases:
> - the Security Association DataBase
> - the Security Policy Database.
> When you have a packet you see in the SPD what to do. If the policy is
> to do some IPsec processing on the packet you look for the parameters
> in the SADB and if there is no SA when there should be one then you ask
> IKE to create one (in fact a pair).
> So the configuration consists into populating the SPD (e.g. by setkey)
> and to say to IKE what to do (define peers, credentials, a zillion of
> options).

Right.  That's what I mean.   The encrypted payload is going to the host where the relay agent is running, which doesn't have the key to decrypt the payload.   And so the packet is never delivered to the relay agent, and hence never forwarded to the DHCP server.