IETF Logo Mail Archive

Re: [dhcwg] preliminary comments on draft-ietf-dhc-sedhcpv6-17

神明達哉 <jinmei@wide.ad.jp> Wed, 30 November 2016 15:34 UTC

Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50AE71295D2 for <dhcwg@ietfa.amsl.com>; Wed, 30 Nov 2016 07:34:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.4
X-Spam-Level:
X-Spam-Status: No, score=-2.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U8uJvmWivRX3 for <dhcwg@ietfa.amsl.com>; Wed, 30 Nov 2016 07:34:41 -0800 (PST)
Received: from mail-qk0-x230.google.com (mail-qk0-x230.google.com [IPv6:2607:f8b0:400d:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8EB91295F9 for <dhcwg@ietf.org>; Wed, 30 Nov 2016 07:34:38 -0800 (PST)
Received: by mail-qk0-x230.google.com with SMTP id n21so213040636qka.3 for <dhcwg@ietf.org>; Wed, 30 Nov 2016 07:34:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=0GodQfkPbeEiKEw2RC1qjngEaG5ma8bhIiiOmNCr1hA=; b=MXoDSe9wggPQ4ZcFO4gl0/60PYnPGIDYXRmClIVclon2GYuadKSMDKzZM7I83zlSV7 HwtPwkdBLTAdvpJEaKBryESiT/4BlRZ5Cy9bMX/h9JfYDe1CveKWCugtXfkNVforFScX 7HvlqM2lHCS+ujUKNYnpncMrkVoN5spAfnzCn3PySw/Jno5N0W+CPkKt29Di9FO0rqY3 t8aezK7iUeHWAqKtWfMMMbbT96p9amGppg4Bmsl1WOWlMtOelNhrKOSX5LxNaYHvswj2 Les4+x8DbaS4EUeJtt5uaR3w9BnJXONCTdSkv6zziX7dPcd/9EJwyl+8O2dDTmvLrJzM mkkw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=0GodQfkPbeEiKEw2RC1qjngEaG5ma8bhIiiOmNCr1hA=; b=RuDdx9iAVtUGxQ/2bEw355s+9LmTZkBoXQ741clSqXjjHo+cbfIjNHc5EL3GqCIUS6 LY3ZKD2ReRuqjsc8DpvRVHtLikJ+q9UuMPE91A2QZ0IMnTAiVRY2BL/Bgy2yOo2StOgB GQgpVOMMOOOHLmRmyIsALbw+e1uY0DrzBvlgW2uAwBYCeZT/ZtdGin17e6WSchYQj20a ZancZ2lkBx/RwAeb3uq01wLXXYwnoqwneXVkC1+5Eh9AZkKVTK0otKOW6j9NxgORrzZl t428NfW4xWhrYsqbX6r4wa6da7mIyJbIe70hkF6uvjS/oX3kYMXJ2s+/1KqMu7YpIGQN b8uw==
X-Gm-Message-State: AKaTC036ucHqqhnWRkMtSQWNGvRwBUOaWkulknW4gH3QMjjlpZPZmZtNzWNizY+dLoU9jEX60+iK7wTrXbIl5A==
X-Received: by 10.55.64.69 with SMTP id n66mr28170163qka.20.1480520077705; Wed, 30 Nov 2016 07:34:37 -0800 (PST)
MIME-Version: 1.0
Sender: jinmei.tatuya@gmail.com
Received: by 10.237.53.155 with HTTP; Wed, 30 Nov 2016 07:34:36 -0800 (PST)
In-Reply-To: <CAJ3w4NfEqpZu+fYO_1A06bVT2Qzqc1qyTi_NkKrBjWGCJGwJVA@mail.gmail.com>
References: <CAJE_bqebwr2WUUgaNgiYS4_8L77Gxj4Os+oPRG407B6ELMEhCQ@mail.gmail.com> <CAJ3w4Ndi5Gq63n5kZnanRhLM8nWE2wsWGh0kJJLJnq=VoXLuCg@mail.gmail.com> <CAJE_bqegh1DfWjfK2BxeC_fWa0cEk-KJNP0AT-TQuEa39w_wVQ@mail.gmail.com> <CAJ3w4NdM99nv4C19Xj=aosNme+_Ymyys=xQ3UWUfeZReZC4ckA@mail.gmail.com> <CAJE_bqdhGZnK16MooiyujDgthDNnR74EiwW0OevrN6uq4b4ANw@mail.gmail.com> <CAJE_bqfKUZe2yaW1sAq7rrib0M7wz28HHtPLqCHK=vXcN6amgg@mail.gmail.com> <CAJ3w4Nd3s+ZojjiotLkKwys6truhUgK6F-90UYjcpB9iw=fKKQ@mail.gmail.com> <m2r36nuqvn.wl%jinmei.tatuya@gmail.com> <CAJ3w4NeuNYTrX4p5rtZ6UceD5ydQ-B-vY6aqQzxWnXsrDOEFEA@mail.gmail.com> <CAJE_bqdh-bgk7BHZJnaFFBr3PDj4ZnSSGeGNdQ70F7dv91iQrA@mail.gmail.com> <CAJ3w4NfU9PrC9a+MGnJ=Es1yir_asHB3p1=9GfxZZ0iSe+At+Q@mail.gmail.com> <CAJE_bqfRBYkrniWQ+vtPULTURnvyV792QNGvr8JhhZpGQ0MSdA@mail.gmail.com> <CAJ3w4NerRzHYsRqcUAkAjHX23PYVF4Jv0wKcd33vXRRg+-0EAQ@mail.gmail.com> <CAJ3w4NekPk0TuAZW_jmTDYQHd8JP3GsrA0qrKYrnyqSSk3qwxw@mail.gmail.com> <CAJE_bqc8hkrc3dYefTPWi-mUCtZD+oYsrobCK1KjmVGRnNfMCw@mail.gmail.com> <CAJ3w4NejrFAT3RK7i0W46HkQNJjhPxbhzQiL=3fcrceidTzHNQ@mail.gmail.com> <CAJE_bqcCwZWPHuZ0UR8_jyCUsaTrYKzLD8zUKwChYaCL06yT9A@mail.gmail.com> <CAJ3w4NfS8PKOMHcP5s_Nsp5K5eWJfXWRF-vNEau_ekqTRwE=wA@mail.gmail.com> <CAJE_bqfqSXFR9R5wf1USg-zs+nvdohQFq99kQL2DiapXvUdEqA@mail.gmail.com> <CAJ3w4Ncj40JwrW6UB+TVFvymByU5Y9iFv5QroWhwUzkLrS2DTg@mail.gmail.com> <CAJE_bqd38grUh9q57a-H29GsMx5Dpv9VE0iBMO7v_-y97zZZUg@mail.gmail.com> <CAJ3w4Ne63cnqoeTZk=PDmAN9+i6jwzyxbK+up45wB9h+xUDSfw@mail.gmail.com> <CAJE_bqceK7YLpMqhgjqrFQh7641a+ZRcnO0F6p6BiM8EMKmA7w@mail.gmail.com> <CAJ3w4Nf65b1zo-smMguZBc_-RbFh2y8kk7Fnu__TKCQEVbs48w@mail.gmail.com> <CAJE_bqeVciLxS_q=deRKLBr12ZGXxx2wdFiztJxJjfS7aAV2Ag@mail.gmail.com> <CAJ3w4NcvyeuRWJatGGH7U4g413GQvr9LHtDiX13zSOz7kBGEhw@mail.gmail.com> <CAJE_bqfFOhe26huAP8_BFKjnTXbG4F0vUfMYs5Xy=3RQigS7FA@mail.gmail.com> <CAJ3w4Ne81LVsaznu_yck7fG7iJyGm=WY4=i2AF8gx39Tf59eMA@mail.gmail.com> <CAJE_bqceRD2+vkfwR+Egr=CgyAT4wd1Wmxp1S=f3WRFGs9j4sg@mail.gmail.com> <CAJ3w4NcnAe3Enhs6KVgBkpa+BivLGRw9SGJ1RmAq7q=HM8Ph6Q@mail.gmail.com> <CAJE_bqcTpK0j_yfza3KPavEgdcpk2z+ZivZt8Hs1m2NrE7_scA@mail.gmail.com> <CAJ3w4NfEqpZu+fYO_1A06bVT2Qzqc1qyTi_NkKrBjWGCJGwJVA@mail.gmail.com>
From: 神明達哉 <jinmei@wide.ad.jp>
Date: Wed, 30 Nov 2016 07:34:36 -0800
X-Google-Sender-Auth: ei3ySHPVsABGFYkriP3hX3ujp9g
Message-ID: <CAJE_bqeXr02-9f5MrntfhmgQfNF=F9h+A62TBR-C4tAxcRDx-g@mail.gmail.com>
To: Lishan Li <lilishan48@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/_5xBTRDKHkuhczcTGzFrUXZL8nw>
Cc: "dhcwg@ietf.org" <dhcwg@ietf.org>
Subject: Re: [dhcwg] preliminary comments on draft-ietf-dhc-sedhcpv6-17
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Nov 2016 15:34:43 -0000

At Wed, 30 Nov 2016 17:55:00 +0800,
Lishan Li <lilishan48@gmail.com> wrote:

> > This doesn't sound like reliable for the same reason.  While this can
> > certainly be designed in multiple different ways, I don't see why we
> > might want to allow the server to skip calculating the tag value for
> > its public keys.  It's a one-time operation for each key pair if the
> > server has a volatile storage and can store the value there (which
> > would be quite likely for middle-to-large scale servers).  Even if it
> > needs to calculate the tag value on every startup (and keep it in
> > memory throughout its runtime) it should be quite lightweight.
> >
> [LS]: It is not a one-time operation for each key pair. For different
> clients, the key tag calculation method is different. For the multiple

I don't understand this.  Why is it different for different clients?
Perhaps you somehow assumed I was talking about the use of signature
hash algorithm (which can be different for different clients)?  I
wasn't; I said it didn't sound like reliable, and pointed out that if
we fix the calculation method it's a one time operation and the
overhead wouldn't be a big issue.  Maybe "if we fix the calculation
method" condition wasn't clear enough.

> calculation method, I don' t think it is lightweight.
>
> Assume that the calculation method is needed, which method do
> you suggested?

I have no specific suggestion or preference.  Perhaps just use the
same algorithm as RRSIG key tag?

> > >
> > > [LS]: The Reconfigure message is sent from server to client. So sure,
> > > it should be encrypted in Encrypted-Response message.
> > >
> > > Firstly, I think there is no need to design such a mechanism for it.
> > [...]
> > > key pairs. However, the client always communicates with only one DHCPv6
> > > server.
> >
> > Is this guaranteed by the protocol specification?  If so, could you
> > provide specific text of an RFC (3315? or 3315bis?) that specifies
> > this restriction? [...]
> >
> [LS]: In the case that multiple servers share one common certificate,
> the Encrypted-Query message may be sent to multiple DHCPv6
> servers. But they are informed of the same public key. And the
> client also uses the same one private key for decryption.
> So we can add the statement that: During the DHCPv6 configuration
> process, the client MUST only use one certificate to establish the
> encrypted communicate with the DHCPv6 server.

This didn't answer my question.  Could you first answer the question?
If there's no such restriction in the base protocol, we cannot assume
it and can't assume it in designing sedhcpv6.

--
JINMEI, Tatuya

v2.23.0 | Report a Bug | By Email