IETF Logo Mail Archive

Re: [dhcwg] Deployment consideration for SeDHCPv6

神明達哉 <jinmei@wide.ad.jp> Tue, 17 June 2014 22:27 UTC

Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E70E1A017F for <dhcwg@ietfa.amsl.com>; Tue, 17 Jun 2014 15:27:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.978
X-Spam-Level:
X-Spam-Status: No, score=-0.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eCfRDkCMzUaG for <dhcwg@ietfa.amsl.com>; Tue, 17 Jun 2014 15:27:19 -0700 (PDT)
Received: from mail-wg0-x22c.google.com (mail-wg0-x22c.google.com [IPv6:2a00:1450:400c:c00::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 324F01A017B for <dhcwg@ietf.org>; Tue, 17 Jun 2014 15:27:19 -0700 (PDT)
Received: by mail-wg0-f44.google.com with SMTP id x13so6484wgg.15 for <dhcwg@ietf.org>; Tue, 17 Jun 2014 15:27:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type:content-transfer-encoding; bh=6uZZajZImwwIYz1j/TDETBLSTznDcndjfuEPW+7jm1o=; b=VysvSSTAr/HfBTfv7K0yfbfeOwIAYHobMIsCQ5rbJ0GnaDKFtkeh+zA9InriIPTh8s 220BFmtKvTNJ/QPHJJK9sAwW4htWYLLN+827OK5OfT9WpGJ5XtfnKXm98sggRdOE6Iba j/P2Lh2u7AF7cocC+U2PfhNCYWhs0M7vudaMP+9X/wg28yXPSpyOULnEL9kvUVIp09pA hHidVUhDLmw4g7BoA8Edti1meOHef7kLj/TwrWaJjKcu/3QTLjQ+ExhwOFKQ5yi+dDny xcXhTIj0qoQs5aDPDu7YFsa4M/WrGbF0dbYynT/GyVjJYSfmVE5clGtpW429dunddIEp RbUg==
MIME-Version: 1.0
X-Received: by 10.180.83.105 with SMTP id p9mr39946376wiy.8.1403044037634; Tue, 17 Jun 2014 15:27:17 -0700 (PDT)
Sender: jinmei.tatuya@gmail.com
Received: by 10.194.222.7 with HTTP; Tue, 17 Jun 2014 15:27:17 -0700 (PDT)
In-Reply-To: <791EB108-E4E8-4A82-84BC-CB36E277CAC4@gmail.com>
References: <535FEDAD.5010103@gmail.com> <5388F901.1000709@gmail.com> <78B235AF-D94C-40F1-9C76-4159B3A0A043@nominum.com> <CAJE_bqf4UZeFifHMhM=Vo2X66+ab7cnhb19K-XD_+_pr7-VS1A@mail.gmail.com> <FF49B4DE-E45F-4FF7-9C2D-5FA72FE66A4D@gmail.com> <C7C8884E-499D-4B55-B978-8D7A4D21EE3C@nominum.com> <5D36713D8A4E7348A7E10DF7437A4B923AE88462@nkgeml512-mbx.china.huawei.com> <5D36713D8A4E7348A7E10DF7437A4B923AE891C2@nkgeml512-mbx.china.huawei.com> <CAJE_bqfJmdeTXwZNYx2XcLeMOJ2DhBkzXTQ61S8q4s=PL-28dA@mail.gmail.com> <791EB108-E4E8-4A82-84BC-CB36E277CAC4@gmail.com>
Date: Tue, 17 Jun 2014 15:27:17 -0700
X-Google-Sender-Auth: F_c12uARRakHvG2lwJYNdxR4J-I
Message-ID: <CAJE_bqcOPzK_HJn=NGoVeNpqR8iOiz+aLHAFteOHHeX=fsOm1Q@mail.gmail.com>
From: 神明達哉 <jinmei@wide.ad.jp>
To: Ralph Droms <rdroms.ietf@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/dhcwg/YbTxzchmKhE6GigmN-EljZs_5aQ
Cc: dhcwg <dhcwg@ietf.org>, Lemon Ted <ted.lemon@nominum.com>
Subject: Re: [dhcwg] Deployment consideration for SeDHCPv6
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jun 2014 22:27:20 -0000

At Tue, 17 Jun 2014 13:15:39 -0400,
Ralph Droms <rdroms.ietf@gmail.com> wrote:

> Jinmei-san - I have one question about your text.  Can you explain in a little more detail how the second and third examples of authentication on a server work, in which you say the server only has to remember the client's public key so neither full authentication nor LoF is required?

In the second example, the client sends its public key in Solicit, and
the server remembers it during the DHCP session starting from that
Solicit.  The server uses the public key to authenticate any
subsequent message from that client (or anyone claiming to be that
client) for that DHCP session.  I said LoF (let alone full
authentication) isn't needed because when the server accepts and
remembers the public key sent in the Solicit, it doesn't do so for the
purpose of authenticating the Solicit itself.  It only remembers the
public key to confirm that subsequent messages of the session are
certainly sent from the same client as the one sent the Solicit, and
there's no "leap" here.

In the third example, I actually didn't say LoF isn't required.  Could
the text read as if I did?

--
JINMEI, Tatuya

p.s., I noticed one type in the text, a kind only non native English
user would do: s/stuff/staff/ below:

> > This is satisfied with full authentication.  Due to the configuration
> > overhead, however, full authentication may not always be feasible.  It
> > would still be viable in a controlled environment with skilled stuff,
> > such as a corporate intranet.
[...]
> > different) certificates.  So the applicable case may be limited, but a
> > controlled environment with skilled stuff and a specifically expected
> > set of clients such as a corporate intranet may still find it useful
> > and viable.

if we use any part of my suggested text, please correct these > authors.

v2.23.0 | Report a Bug | By Email