IETF Logo Mail Archive

Re: [dhcwg] comments on draft-ietf-dhc-sedhcpv6-10.txt

Lishan Li <lilishan48@gmail.com> Tue, 01 March 2016 15:39 UTC

Return-Path: <lilishan48@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77EE21B2D9A; Tue, 1 Mar 2016 07:39:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.449
X-Spam-Level:
X-Spam-Status: No, score=-1.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GNEwDqEsxHZZ; Tue, 1 Mar 2016 07:39:35 -0800 (PST)
Received: from mail-lf0-x236.google.com (mail-lf0-x236.google.com [IPv6:2a00:1450:4010:c07::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 600CE1B2DB0; Tue, 1 Mar 2016 07:39:34 -0800 (PST)
Received: by mail-lf0-x236.google.com with SMTP id l13so3908534lfb.1; Tue, 01 Mar 2016 07:39:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=OpWAp1thk59i49TYA8Ey1okmpXNPoWo+AbWfVy3cv2A=; b=hPOpjWO22/dd/n0QFbQes2IOXNVwlb9cgML45KyDvIhxewQNpQ8d8Q+aXLckS0XWd9 xzq68tdBLzxn42HoDnB2yjuAicj3xozGv9pHRDcd3ctk0f6qKaWX6UyOnfQXRcV8VYNq 5s//2drmFDwokLcCfvhD+Kwz5umQrWnp6A2Oa+13QVdvmm4oAxXICDigza9XTZLmI1KS Jo/kwjqLNlw1aCNVBxprSpHrPAZxbTU5FqI4hwFMk+eSVL36w4ErcGCwVKQ6WM0e8S+w +l026t3mqtN4/QhE0u2rPOqrRw35EzCUroTSwo4E/pbYDR8t9nOCdpS7xBg0baKU7gll 3qHA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=OpWAp1thk59i49TYA8Ey1okmpXNPoWo+AbWfVy3cv2A=; b=DVu4MxdQaDMdSxJ27g/fav9ScNZ3yg3As+ALcjt+aJzBp7ceLQV+bEAAQV3p//wz4z iBjdDakkcTM98JluFFFOyHuTpFIN16aIzZkjwdCjV4TWMiaeGRI3WHL/ySL1hWVrIeCK TlqWJE0kkSdhbQXTaHRzKTne7TZFskgLS5FodvAnlMKaVQyp/WEq6io59r6a4ePnwHLt y0onYPiJu9R+0T8b9p866mkCRpt+OlV8ZXPfgrhWD3J7y1WYPgdZrn8uyLDdABrgtunc 02A+DhSRpTpKSW+34qG3u09F5qqcJvCJixwXnytYpF+tkIq+EZh7uVTHbFtF9qeNZRi+ /Wqw==
X-Gm-Message-State: AD7BkJK/ax79bbEITLO0yagS2mqYkj6xOPQX+z/dMaiRFWTAJUF+YgrKgDOIlPMAH11xkrKObW26HJchIJXmZQ==
MIME-Version: 1.0
X-Received: by 10.25.136.139 with SMTP id k133mr8049874lfd.157.1456846772535; Tue, 01 Mar 2016 07:39:32 -0800 (PST)
Received: by 10.114.79.194 with HTTP; Tue, 1 Mar 2016 07:39:32 -0800 (PST)
In-Reply-To: <CAJE_bqdkkHtNr3khkPmsxoUuJgC49J7nmsLE8UOH49o4-Eedog@mail.gmail.com>
References: <CAJE_bqdZTc57BGzVq8-EaOa7kT2ME9_3bXNKFr0WGk_MzLNOBQ@mail.gmail.com> <CAJ3w4NermaJtDzf3V4+WQcpJ5kEdWX6RQ9CyWiFmOmKw8+QZSQ@mail.gmail.com> <CAJE_bqc+1=CT66f88tB_DbavBmvnnYcK3a+LR_OwUWu_O-WnVw@mail.gmail.com> <CAJ3w4Ne8rU-cnvNqeM0x0PFw+mAD-TEmyegOJDgQuCiccFY2hg@mail.gmail.com> <CAJE_bqdBqjSG0UnGuKfjtQMB-Rp81pU7n_+Eq_Fb=yar+673hA@mail.gmail.com> <CAJ3w4NcmG18puJpzPFFvn4U8P7eQwh2WeMvcvH+UJHNPQd_BRw@mail.gmail.com> <CAJE_bqc9JHcUGCGW9VSPrHTBUe4tKowh9OHVbUA1qWwanWyYBg@mail.gmail.com> <CAJ3w4Nd+PbmQ3+fXGgMZHrh3NNejZmBaV0ytECjRc5KJ57HzPw@mail.gmail.com> <CAJE_bqdH_0G+2RWz8H4k8qsgK3iSHrzKnMG+jP-Kjp7Ka5rtjw@mail.gmail.com> <CAJ3w4NfU+aBMyvDMF8kxHV6TdWgFz3uNL61YpdsLWBGoXHQ1aQ@mail.gmail.com> <CAJE_bqdkkHtNr3khkPmsxoUuJgC49J7nmsLE8UOH49o4-Eedog@mail.gmail.com>
Date: Tue, 01 Mar 2016 23:39:32 +0800
Message-ID: <CAJ3w4NdAbdS5vnpWhUbzSBDg7mH_LOatWcdWiyXmYShp0L+TAQ@mail.gmail.com>
From: Lishan Li <lilishan48@gmail.com>
To: 神明達哉 <jinmei@wide.ad.jp>
Content-Type: multipart/alternative; boundary="001a113f38945e8a52052cfe92cc"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dhcwg/UyFP41bzp0ziCbLjumiSmvaMLhw>
Cc: "dhcwg@ietf.org" <dhcwg@ietf.org>, draft-ietf-dhc-sedhcpv6@ietf.org
Subject: Re: [dhcwg] comments on draft-ietf-dhc-sedhcpv6-10.txt
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Mar 2016 15:39:36 -0000

Dear Jinmei,

According to your previous comment, I try to add the encryption algorithm
negotiation.

In order to support the encryption algorithm negotiation, the Encryption
option is defined. The Encryption option contains the EA-id(encryption
algorithm identifier) field. So the messages exchange is:
1. Information-request from client to server (ORO option contains code of
Certificate option)
2. Reply to the Information-request from server to client (Certificate
option, Encryption option, Server Identifier option are contained)
3. Encryption-Query from client to server (Solicit message contains the
Encryption option)
4. Encryption-Response from server to client

What do you think of the encryption algorithm negotiation method?

If the Encryption option is contained, the Reply(#2) message contains the
Certificate option and Encryption option. Then whether it is necessary to
contain the signature option for the message integrity check?

Looking forward to your further guidance.


Best Regards,
Lishan

2016-02-27 1:40 GMT+08:00 神明達哉 <jinmei@wide.ad.jp>:

> At Fri, 26 Feb 2016 15:30:05 +0800,
> Lishan Li <lilishan48@gmail.com> wrote:
>
> > > > > [LS]: The self-signed certificate is the argument of the remove of
> the
> > > > public
> > > > key option. And we also need to supply some text to illustrate that
> it
> > > can
> > > > outweigh its cons. For the drawback of the method, the size of the
> DHCPv6
> > > > message is increased when we actually only need the public key, not
> the
> > > > certificate. However, the size of the X.509 certificate is not very
> > > large,
> > > > such as 1KB, which will not cause IPv6 fragment and other problem.
> > >
> > > Repeating my previous point just to make it sure that we are on the
> > > same page: the argument that a self-signed certificate should make a
> > > public key option redundant isn't new in our recent changes.  So I'd
> > > wonder why we are now bothering it.  If this is a completely new
> > > attempt of cleanup, I suggest making it very clear (i.e., it has
> > > nothing to do with mandated encryption etc) and discussing it
> > > accordingly.
> > >
> > > [LS]: The self-signed certificate make the DHCPv6 option redundant,
> which
> > is not a new problem caused by our defined mechanism. So we don't need to
> > bother it. Could you please check whether my understanding is correct?
>
> I didn't mean we "don't need to bother".  My major point is that this
> change was confusing:
>
> - We did a very substantial change since 08: merging encryption and
>   mandating it (as well as removing TOFU)
> - public key option was also removed as well without any explanation
>   of why
> - so I asked why, and your first response (it's because of the removal
>   of TOFU) didn't make sense to me: the argument with self-signed
>   certificate can apply with or without TOFU.
>
> That's why we have this conversation.
>
> Now, on clarifying these, I don't yet have a particular opinion on
> whether to remove the public key option.  But my suggestion is: if you
> want to make this change, raise this issue separately on this list
> with your rationale, get consensus, and apply it to a subsequent
> version of the draft.
>
> --
> JINMEI, Tatuya
>

v2.23.0 | Report a Bug | By Email