IETF Logo Mail Archive

Re: [dhcwg] preliminary comments on draft-ietf-dhc-sedhcpv6-17

神明達哉 <jinmei@wide.ad.jp> Thu, 03 November 2016 19:03 UTC

Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0474612961B for <dhcwg@ietfa.amsl.com>; Thu, 3 Nov 2016 12:03:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.4
X-Spam-Level:
X-Spam-Status: No, score=-2.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JLSJQj-N1Mhu for <dhcwg@ietfa.amsl.com>; Thu, 3 Nov 2016 12:03:00 -0700 (PDT)
Received: from mail-qt0-x22d.google.com (mail-qt0-x22d.google.com [IPv6:2607:f8b0:400d:c0d::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5A87129431 for <dhcwg@ietf.org>; Thu, 3 Nov 2016 11:54:12 -0700 (PDT)
Received: by mail-qt0-x22d.google.com with SMTP id p16so34363739qta.0 for <dhcwg@ietf.org>; Thu, 03 Nov 2016 11:54:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=jw4qIwATqccKDt4KW72gslMSxJUEYnwOzFUbdmv92Mw=; b=WSGdJsSUEUl3dGRcx3aXTKuzZxfc0VHHfGl7TYhmzOObR7tS1sfyqSEAOSfdpoP+nZ aoNN4B7XIpAN0LYfiSnbffV2bqdbxI72Ls6Jp65GEdKOdYuStS+oLszTZAF+lubylT7v nuukenqmil63Wea1qu8/JYwFjqmIYhNk9X/fsHmloDfJoUuFOtnQJQNrbcJBGBteQO0H WwBqjhFwXqEZOiKxxfmd2jrN6mGxxQEYEFtLjZoYWFZ8i8Ci0QrSGaNkyy+Af6Mmgf19 KpB6og1g/8OAnMwPQLAAl+xJECxA3MwALuW5FpNEMlmR3Eci+ajASLAwXKMrI86VI53N yaIg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=jw4qIwATqccKDt4KW72gslMSxJUEYnwOzFUbdmv92Mw=; b=TPOGwx7Z5eV+yvUAeW3DQdXpf3v8q5VB2RJOhehRYJUCGEEDuE2XsDrkDi7W3tcPUT vUTGSRrATHBdKKB0AoZbRzQfOsXQuu3OXMZmTlBUzvBNJIYt2FYAZHsDeQEwPP8BdfVW sP0urgyQ0yl1ytdiG9A4hPtPF/i2wmeFc/Vr0YeortZhQrjVWYADRD67EYbls/EigQMb h9GPKxXf4ROiZg1VQ8sp7CGy3f2HCh6LYEeB11OnbAc3bkKrwCbeCKkU8XSfVWs3VkWf CjGRN9nQrsWcP4TSMqpggpOKZjqPSBh0Mltzq7/sdEg4YF4eVkokUpCMXPmnOafkCeSh /t6g==
X-Gm-Message-State: ABUngvdm5aa6a+uT5gqvPiSFTMMGPpb4FQTfiN95m0+Z1bq+FVfFXiVNvdzZiOI1gPAuEYpy4HgiD3ojQ4EZ6w==
X-Received: by 10.200.40.211 with SMTP id j19mr9951400qtj.72.1478199251824; Thu, 03 Nov 2016 11:54:11 -0700 (PDT)
MIME-Version: 1.0
Sender: jinmei.tatuya@gmail.com
Received: by 10.237.54.134 with HTTP; Thu, 3 Nov 2016 11:54:11 -0700 (PDT)
In-Reply-To: <CAJ3w4Ndi5Gq63n5kZnanRhLM8nWE2wsWGh0kJJLJnq=VoXLuCg@mail.gmail.com>
References: <CAJE_bqebwr2WUUgaNgiYS4_8L77Gxj4Os+oPRG407B6ELMEhCQ@mail.gmail.com> <CAJ3w4Ndi5Gq63n5kZnanRhLM8nWE2wsWGh0kJJLJnq=VoXLuCg@mail.gmail.com>
From: 神明達哉 <jinmei@wide.ad.jp>
Date: Thu, 03 Nov 2016 11:54:11 -0700
X-Google-Sender-Auth: Wy8VorH6FTNwiS_W1Cp2VYfPD_w
Message-ID: <CAJE_bqegh1DfWjfK2BxeC_fWa0cEk-KJNP0AT-TQuEa39w_wVQ@mail.gmail.com>
To: Lishan Li <lilishan48@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/XKByz0Shaq9wJq0-jQwsEJIyeoU>
Cc: "dhcwg@ietf.org" <dhcwg@ietf.org>
Subject: Re: [dhcwg] preliminary comments on draft-ietf-dhc-sedhcpv6-17
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Nov 2016 19:03:01 -0000

At Thu, 3 Nov 2016 16:36:46 +0800,
Lishan Li <lilishan48@gmail.com> wrote:

> > 2. Algorithm negotiation still doesn't make much sense to me.  I have
> >    many questions and concerns related to this point, but instead of
> >    raising each of these, I'd suggest one specific alternative to
> >    consider: have the client send a list of supported algorithms in
> >    the initial Information-Request, and let the server choose one set
> >    of them and keep using the same set.  This way we don't have to
> >    worry about an "algorithm not supported" error in the middle of a
> >    DHCPv6 session (as a corollary, we don't have to worry about how to
> >    return an encrypted reply when the client's preferred encryption
> >    algorithm isn't supported by the server).  An obvious downside of
> >    this is that it reveals some information of the client (the list of
> >    supported/preferred algorithms), but IMO this is acceptable.
> >
> [LS]: In the current version, the server firstly sends a list of supported
> algorithms through the Reply message. Then the client processes it
> according to the following method:
[...]
> So it is not possible that the the server does not support the
> acknowledged algorithms. So we also don't need to worry
> about how to return an encrypted Reply when the client's
> preferred encryption algorithm isn's supported by the server.

One issue of this approach is that there's no way to recover from the
situation where the client doesn't support any of the server-supported
algorithms.  Also, the server will have to include certificates of all
the supported algorithms and signatures for all combinations of
supported hash and signature algorithms as it doesn't know which of
these works for the client.  This along with requiring the server
to always include mandatory algorithms will make this approach
workable, but it seemed to me to be unnecessarily wasteful and
complicated.  Hence my suggestion.

Besides, the current draft is not clear that the server needs to
include all certificates and all combinations of signatures.  It's
also awkward to mention the AlgorithmNotSupported status code if "it
is not possible that the the server does not support the acknowledged
algorithms".  So, whether or not my suggestion is adopted, the current
version of draft has a lot of readability and technical issues (and so
I think it's way far from being ready for a last call).  These are
actually what I'd raise once I get to the point to discuss the content
of the draft, but I wanted to address the higher level matters first.

--
JINMEI, Tatuya

v2.23.0 | Report a Bug | By Email