IETF Logo Mail Archive

Re: [dhcwg] more thoughts about draft-ietf-dhc-sedhcpv6-02.txt

Francis Dupont <Francis.Dupont@fdupont.fr> Wed, 25 June 2014 12:06 UTC

Return-Path: <Francis.Dupont@fdupont.fr>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B71C81B2AF3 for <dhcwg@ietfa.amsl.com>; Wed, 25 Jun 2014 05:06:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.203
X-Spam-Level:
X-Spam-Status: No, score=-2.203 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_FR=0.35, RP_MATCHES_RCVD=-0.651, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8RxKIbqXwURh for <dhcwg@ietfa.amsl.com>; Wed, 25 Jun 2014 05:06:08 -0700 (PDT)
Received: from givry.fdupont.fr (givry.fdupont.fr [IPv6:2001:41d0:1:6d55:211:5bff:fe98:d51e]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F9741B2BD1 for <dhcwg@ietf.org>; Wed, 25 Jun 2014 05:06:08 -0700 (PDT)
Received: from givry.fdupont.fr (localhost [127.0.0.1]) by givry.fdupont.fr (8.14.3/8.14.3) with ESMTP id s5PC61Ak084308; Wed, 25 Jun 2014 14:06:01 +0200 (CEST) (envelope-from dupont@givry.fdupont.fr)
Message-Id: <201406251206.s5PC61Ak084308@givry.fdupont.fr>
gFrom: Francis Dupont <dupont@givry.fdupont.fr>
To: Sheng Jiang <jiangsheng@huawei.com>
In-reply-to: Your message of Wed, 25 Jun 2014 08:16:37 -0000. <5D36713D8A4E7348A7E10DF7437A4B923AEBC702@nkgeml512-mbx.china.huawei.com>
Date: Wed, 25 Jun 2014 14:06:01 +0200
From: Francis Dupont <Francis.Dupont@fdupont.fr>
Archived-At: http://mailarchive.ietf.org/arch/msg/dhcwg/XtJNJs8p_TKHs_53cmkKaWYx7YU
Cc: "dhcwg@ietf.org" <dhcwg@ietf.org>
Subject: Re: [dhcwg] more thoughts about draft-ietf-dhc-sedhcpv6-02.txt
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jun 2014 12:06:11 -0000

 In your previous mail you wrote:

>  >The second point is about (X.509 public key) certificates. They are useless
>  >without the trust anchor, the whole chain, CRLs, etc. And if we want
>  >to use self-signed certificates they bring nothing compared to raw
>  >public keys. And I don't talk about profiles (even SeND had to be
>  >completed by RFC 6494). So I really suggest to drop the certificate
>  >option and to use the key option to identify the public key.
>  
>  Actually, certificate would be very useful for server to authorize the clien
>  t. It is much less useful on a client, who have not been allowed to connect 
>  on line. In such case, certificate can be used with LoF, which is equal usag
>  e as identify the public key.

=> for the first point something like the URI and hash from IKEv2 is
IMHO far more usable than to put the certificate inside the message.
And I disagree about the second statement: there is no reason to
give up about the server authorization. It is a hard problem but
not an untrackable one (as SeND proved). For the last a public key
option is simpler and more efficient so it is not an argument for
keeping the certificate option.

>  >The last point is compatibility with SeND (RFC 3971). Today in red and
>  >black (:-) environments it is possible to secure the Neighbor Discovery
>  >but not DHCP. I propose to fix this using the secure DHCPv6 for
>  >the protection of DHCP and the SeND section 6 Authorization Delegation
>  >Discovery for the "certificate part".
>  
>  Could you be more clear how this may work? I am not sure I fully understand 
>  your proposal. So far, SeDHCPv6 has no compatibility issues with SeND, becau
>  se they are two solutions independent from each other. We don't want to intr
>  oduce any dependency between them, which would make the deployment much more
>  complicated.

=> I don't want to introduce dependency but to make them to be able to
work not only together but in complement, exactly as DHCPv6 and ND are
(even it took a very long time to finalize all details).
The missing part in SeDHCPv6 is the authorization, i.e., all the higher
order thing about certificates. This is already handled in SeND, perhaps
not in the best way, so the idea is to say for SeDHCPv6 + SeND we don't
need to reinvent the wheel.
This could leave two use cases for SeDHCPv6: LoF or statically
pre-configured SeDHCPv6 using raw public keys, and SeDHCPv6 + SeND
for strongly secured environments. Perhaps not the whole thing we want
but enough to "sell" a first version.

Regards

Francis.Dupont@fdupont.fr

v2.23.0 | Report a Bug | By Email