IETF Logo Mail Archive

Re: [dhcwg] preliminary comments on draft-ietf-dhc-sedhcpv6-17

Lishan Li <lilishan48@gmail.com> Thu, 01 December 2016 11:46 UTC

Return-Path: <lilishan48@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C72512963B for <dhcwg@ietfa.amsl.com>; Thu, 1 Dec 2016 03:46:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Level:
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8sq1cNSkZohB for <dhcwg@ietfa.amsl.com>; Thu, 1 Dec 2016 03:46:08 -0800 (PST)
Received: from mail-qt0-x233.google.com (mail-qt0-x233.google.com [IPv6:2607:f8b0:400d:c0d::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27542129637 for <dhcwg@ietf.org>; Thu, 1 Dec 2016 03:46:08 -0800 (PST)
Received: by mail-qt0-x233.google.com with SMTP id n6so217713408qtd.1 for <dhcwg@ietf.org>; Thu, 01 Dec 2016 03:46:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=MTRc/fPfn5OWom/dkM9BsKXA5SIIvtZRLP3f1MSHrcc=; b=PQ9aWolWoDsSFQOBJ8Cw5mooE7zAuiAUXBIb+x1XdUE90vqyC+zsOtXol47kinwTCo 4JDQg/rZFTFM0eo+vUBnHr/+DzFgtD0lf2pH/bmzxHU5QlEb7DfkFuUBk07KAWrWIrw0 dV+JHaVaS6dx5nV8oOO7jkEtgz/DPSzNDSwbE/59ThICgXi+5AH0oFy8V42bPP77+HCf +6eZpQlzuzQ8UnfZSaaZlpgrRKjkjv5B+et1if+W+NMqLzaZDRyWQWR9/70v/lQ6jGaF nj988PxsIY1aqFEUCXdTnbQjiazFY03HoLK2Tqk/SxbzLyG/U3WZHvFd0bMiw+L/MzeQ S94A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=MTRc/fPfn5OWom/dkM9BsKXA5SIIvtZRLP3f1MSHrcc=; b=WIJNL5aNMvmGgpoZNM73HMPU+8jyLmQg94LDRn4z/rxf8mSZ3vB6ZuzbT7DlbzHjUA ZPsz4wVk//kx1+H0rKJTk3/W6TDOQxwfSQpI8I27D2IqUZBA7SXxk/IoiOwSiiWy1rsn dy2NvnK4GKdQCQ/s5Ms4zaZOzyqv6dyoCh4ASD3Gvck3ByGGlTwEXzUJ1emMULaDxtqb ESNXB2LVlQHBS23u7r72Wh/TjLRDyIETqRR99xAymKFTapfQC1F9XOsNuhFk3jNdKP/T +y2rKMcZoIe+r+rI6aHu+E/SqW9n7y4aTP9AaYIihpBwS2Hd5NgGeCxTZK2sp/hjfgjE m2Wg==
X-Gm-Message-State: AKaTC02woyv+Msv2vEpXMnModQ7gQwnNx0tURPrDSOJmk9j3h/zve+0wryVGeQDV56WMw80qGNqUxkLQG2AggA==
X-Received: by 10.237.33.240 with SMTP id m45mr32774798qtc.250.1480592767300; Thu, 01 Dec 2016 03:46:07 -0800 (PST)
MIME-Version: 1.0
Received: by 10.237.36.211 with HTTP; Thu, 1 Dec 2016 03:46:06 -0800 (PST)
In-Reply-To: <CAJE_bqeXr02-9f5MrntfhmgQfNF=F9h+A62TBR-C4tAxcRDx-g@mail.gmail.com>
References: <CAJE_bqebwr2WUUgaNgiYS4_8L77Gxj4Os+oPRG407B6ELMEhCQ@mail.gmail.com> <CAJ3w4Ndi5Gq63n5kZnanRhLM8nWE2wsWGh0kJJLJnq=VoXLuCg@mail.gmail.com> <CAJE_bqegh1DfWjfK2BxeC_fWa0cEk-KJNP0AT-TQuEa39w_wVQ@mail.gmail.com> <CAJ3w4NdM99nv4C19Xj=aosNme+_Ymyys=xQ3UWUfeZReZC4ckA@mail.gmail.com> <CAJE_bqdhGZnK16MooiyujDgthDNnR74EiwW0OevrN6uq4b4ANw@mail.gmail.com> <CAJE_bqfKUZe2yaW1sAq7rrib0M7wz28HHtPLqCHK=vXcN6amgg@mail.gmail.com> <CAJ3w4Nd3s+ZojjiotLkKwys6truhUgK6F-90UYjcpB9iw=fKKQ@mail.gmail.com> <m2r36nuqvn.wl%jinmei.tatuya@gmail.com> <CAJ3w4NeuNYTrX4p5rtZ6UceD5ydQ-B-vY6aqQzxWnXsrDOEFEA@mail.gmail.com> <CAJE_bqdh-bgk7BHZJnaFFBr3PDj4ZnSSGeGNdQ70F7dv91iQrA@mail.gmail.com> <CAJ3w4NfU9PrC9a+MGnJ=Es1yir_asHB3p1=9GfxZZ0iSe+At+Q@mail.gmail.com> <CAJE_bqfRBYkrniWQ+vtPULTURnvyV792QNGvr8JhhZpGQ0MSdA@mail.gmail.com> <CAJ3w4NerRzHYsRqcUAkAjHX23PYVF4Jv0wKcd33vXRRg+-0EAQ@mail.gmail.com> <CAJ3w4NekPk0TuAZW_jmTDYQHd8JP3GsrA0qrKYrnyqSSk3qwxw@mail.gmail.com> <CAJE_bqc8hkrc3dYefTPWi-mUCtZD+oYsrobCK1KjmVGRnNfMCw@mail.gmail.com> <CAJ3w4NejrFAT3RK7i0W46HkQNJjhPxbhzQiL=3fcrceidTzHNQ@mail.gmail.com> <CAJE_bqcCwZWPHuZ0UR8_jyCUsaTrYKzLD8zUKwChYaCL06yT9A@mail.gmail.com> <CAJ3w4NfS8PKOMHcP5s_Nsp5K5eWJfXWRF-vNEau_ekqTRwE=wA@mail.gmail.com> <CAJE_bqfqSXFR9R5wf1USg-zs+nvdohQFq99kQL2DiapXvUdEqA@mail.gmail.com> <CAJ3w4Ncj40JwrW6UB+TVFvymByU5Y9iFv5QroWhwUzkLrS2DTg@mail.gmail.com> <CAJE_bqd38grUh9q57a-H29GsMx5Dpv9VE0iBMO7v_-y97zZZUg@mail.gmail.com> <CAJ3w4Ne63cnqoeTZk=PDmAN9+i6jwzyxbK+up45wB9h+xUDSfw@mail.gmail.com> <CAJE_bqceK7YLpMqhgjqrFQh7641a+ZRcnO0F6p6BiM8EMKmA7w@mail.gmail.com> <CAJ3w4Nf65b1zo-smMguZBc_-RbFh2y8kk7Fnu__TKCQEVbs48w@mail.gmail.com> <CAJE_bqeVciLxS_q=deRKLBr12ZGXxx2wdFiztJxJjfS7aAV2Ag@mail.gmail.com> <CAJ3w4NcvyeuRWJatGGH7U4g413GQvr9LHtDiX13zSOz7kBGEhw@mail.gmail.com> <CAJE_bqfFOhe26huAP8_BFKjnTXbG4F0vUfMYs5Xy=3RQigS7FA@mail.gmail.com> <CAJ3w4Ne81LVsaznu_yck7fG7iJyGm=WY4=i2AF8gx39Tf59eMA@mail.gmail.com> <CAJE_bqceRD2+vkfwR+Egr=CgyAT4wd1Wmxp1S=f3WRFGs9j4sg@mail.gmail.com> <CAJ3w4NcnAe3Enhs6KVgBkpa+BivLGRw9SGJ1RmAq7q=HM8Ph6Q@mail.gmail.com> <CAJE_bqcTpK0j_yfza3KPavEgdcpk2z+ZivZt8Hs1m2NrE7_scA@mail.gmail.com> <CAJ3w4NfEqpZu+fYO_1A06bVT2Qzqc1qyTi_NkKrBjWGCJGwJVA@mail.gmail.com> <CAJE_bqeXr02-9f5MrntfhmgQfNF=F9h+A62TBR-C4tAxcRDx-g@mail.gmail.com>
From: Lishan Li <lilishan48@gmail.com>
Date: Thu, 01 Dec 2016 19:46:06 +0800
Message-ID: <CAJ3w4NfoebD1PnE82AwVz0s5s7y5pCoaX3ATJWtAa37aOej9hw@mail.gmail.com>
To: 神明達哉 <jinmei@wide.ad.jp>
Content-Type: multipart/alternative; boundary="001a11394d42f3ba1c0542975df0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/_YH6Ll8aXaSoE38ozdQUYHs2opk>
Cc: "dhcwg@ietf.org" <dhcwg@ietf.org>
Subject: Re: [dhcwg] preliminary comments on draft-ietf-dhc-sedhcpv6-17
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Dec 2016 11:46:10 -0000

2016-11-30 23:34 GMT+08:00 神明達哉 <jinmei@wide.ad.jp>:

> At Wed, 30 Nov 2016 17:55:00 +0800,
> Lishan Li <lilishan48@gmail.com> wrote:
>
> > > This doesn't sound like reliable for the same reason.  While this can
> > > certainly be designed in multiple different ways, I don't see why we
> > > might want to allow the server to skip calculating the tag value for
> > > its public keys.  It's a one-time operation for each key pair if the
> > > server has a volatile storage and can store the value there (which
> > > would be quite likely for middle-to-large scale servers).  Even if it
> > > needs to calculate the tag value on every startup (and keep it in
> > > memory throughout its runtime) it should be quite lightweight.
> > >
> > [LS]: It is not a one-time operation for each key pair. For different
> > clients, the key tag calculation method is different. For the multiple
>
> I don't understand this.  Why is it different for different clients?
> Perhaps you somehow assumed I was talking about the use of signature
> hash algorithm (which can be different for different clients)?  I
> wasn't; I said it didn't sound like reliable, and pointed out that if
> we fix the calculation method it's a one time operation and the
> overhead wouldn't be a big issue.  Maybe "if we fix the calculation
> method" condition wasn't clear enough.
>
> > calculation method, I don' t think it is lightweight.
> >
> > Assume that the calculation method is needed, which method do
> > you suggested?
>
> I have no specific suggestion or preference.  Perhaps just use the
> same algorithm as RRSIG key tag?
>
[LS]: I have no idea to complete it. Please contribute the text about it.

>
> > > >
> > > > [LS]: The Reconfigure message is sent from server to client. So sure,
> > > > it should be encrypted in Encrypted-Response message.
> > > >
> > > > Firstly, I think there is no need to design such a mechanism for it.
> > > [...]
> > > > key pairs. However, the client always communicates with only one
> DHCPv6
> > > > server.
> > >
> > > Is this guaranteed by the protocol specification?  If so, could you
> > > provide specific text of an RFC (3315? or 3315bis?) that specifies
> > > this restriction? [...]
> > >
> > [LS]: In the case that multiple servers share one common certificate,
> > the Encrypted-Query message may be sent to multiple DHCPv6
> > servers. But they are informed of the same public key. And the
> > client also uses the same one private key for decryption.
> > So we can add the statement that: During the DHCPv6 configuration
> > process, the client MUST only use one certificate to establish the
> > encrypted communicate with the DHCPv6 server.
>
> This didn't answer my question.  Could you first answer the question?
> If there's no such restriction in the base protocol, we cannot assume
> it and can't assume it in designing sedhcpv6.
>
[LS]: I just think that it is a default fact. Could you please give an
example that the client communicates with two DHCPv6 servers
for the address configuration in the same time?

Best Regards,
Lishan

v2.23.0 | Report a Bug | By Email