IETF Logo Mail Archive

Re: [dhcwg] preliminary comments on draft-ietf-dhc-sedhcpv6-17

Lishan Li <lilishan48@gmail.com> Fri, 25 November 2016 06:29 UTC

Return-Path: <lilishan48@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D2FB129541 for <dhcwg@ietfa.amsl.com>; Thu, 24 Nov 2016 22:29:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Level:
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z6TfhPb5OTHA for <dhcwg@ietfa.amsl.com>; Thu, 24 Nov 2016 22:29:43 -0800 (PST)
Received: from mail-qk0-x232.google.com (mail-qk0-x232.google.com [IPv6:2607:f8b0:400d:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F9C012954D for <dhcwg@ietf.org>; Thu, 24 Nov 2016 22:29:43 -0800 (PST)
Received: by mail-qk0-x232.google.com with SMTP id n204so69213111qke.2 for <dhcwg@ietf.org>; Thu, 24 Nov 2016 22:29:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=3y/SURQ0lcHYqDA0psu9bFHUlNnC/JoCffVDVHwUOfg=; b=mdxdr5QPYLtppBGfJfVaJt+u1uqr/jgV7nVJFMdksJAKm4Rbj+z+1Lrtov7Pi13N/l rCodpIE4g1yWXGa9i6XjuNNrQjJ+dOu8Pxk1jxcB6bIQhAffZLrPPlneMFHCMT5vj6tP l/bcBfEtXt0j3nX5TzhiRWxXPmGCjtyK0RCy06Dbj2+GV7qmDgcBpXhkZ+CQWTex80hY /vZiPvy6RWXNptYoJTtGLUKcxqulXl5fDsmpOafQoORQjlR3Z/3aIJDUewepaHwFJYWg pEUhYaDZAvC0+oU0a8gWWWK3fEESdnruxXY/YyVsu2WV4N0+TjunUWh5doFtpKeEgIw+ 1zcw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=3y/SURQ0lcHYqDA0psu9bFHUlNnC/JoCffVDVHwUOfg=; b=K8EUcI9bMOHGq0fC5asHohdLBWfPbGQIOCI/XZWYG8hLtb+ZHVQ0hRzuPNzcwBua/i YzqpC+iAVMLQDb9/11jbpynRbKXvMsh+ka7Vus4JPP2uhi83TNp1hoynN1tT5DtGscXQ T0iItqLpoJKnoEOqXQIw2C/PzKBdIzLu7k4Sf/4+JMha4c6rfgHrEJpbgdbW24c+O9UA AIQjJ7M6SQicEhIS3Cma1q1Dl8Bp2JXTxVxwuSZza+IUEJz+wJp/w1Ss8uQqqA9qR7dw U7orgEA7ytZHhx7YflcWrsLKmdhAdRlnAiROGwBN6QvoE5793xjTI2LeQ7I7e8bAjR3T puFg==
X-Gm-Message-State: AKaTC01lFlyMWKpArVpWjuG0lKls+kTHX2D7yk51ByzAUaAIFNeCNPVLCVxXZ8WKVwrgR5DVGbPoGdRkMYhGlg==
X-Received: by 10.55.38.80 with SMTP id y77mr5120669qkg.51.1480055382278; Thu, 24 Nov 2016 22:29:42 -0800 (PST)
MIME-Version: 1.0
Received: by 10.237.62.242 with HTTP; Thu, 24 Nov 2016 22:29:41 -0800 (PST)
In-Reply-To: <CAJE_bqfFOhe26huAP8_BFKjnTXbG4F0vUfMYs5Xy=3RQigS7FA@mail.gmail.com>
References: <CAJE_bqebwr2WUUgaNgiYS4_8L77Gxj4Os+oPRG407B6ELMEhCQ@mail.gmail.com> <CAJ3w4Ndi5Gq63n5kZnanRhLM8nWE2wsWGh0kJJLJnq=VoXLuCg@mail.gmail.com> <CAJE_bqegh1DfWjfK2BxeC_fWa0cEk-KJNP0AT-TQuEa39w_wVQ@mail.gmail.com> <CAJ3w4NdM99nv4C19Xj=aosNme+_Ymyys=xQ3UWUfeZReZC4ckA@mail.gmail.com> <CAJE_bqdhGZnK16MooiyujDgthDNnR74EiwW0OevrN6uq4b4ANw@mail.gmail.com> <CAJE_bqfKUZe2yaW1sAq7rrib0M7wz28HHtPLqCHK=vXcN6amgg@mail.gmail.com> <CAJ3w4Nd3s+ZojjiotLkKwys6truhUgK6F-90UYjcpB9iw=fKKQ@mail.gmail.com> <m2r36nuqvn.wl%jinmei.tatuya@gmail.com> <CAJ3w4NeuNYTrX4p5rtZ6UceD5ydQ-B-vY6aqQzxWnXsrDOEFEA@mail.gmail.com> <CAJE_bqdh-bgk7BHZJnaFFBr3PDj4ZnSSGeGNdQ70F7dv91iQrA@mail.gmail.com> <CAJ3w4NfU9PrC9a+MGnJ=Es1yir_asHB3p1=9GfxZZ0iSe+At+Q@mail.gmail.com> <CAJE_bqfRBYkrniWQ+vtPULTURnvyV792QNGvr8JhhZpGQ0MSdA@mail.gmail.com> <CAJ3w4NerRzHYsRqcUAkAjHX23PYVF4Jv0wKcd33vXRRg+-0EAQ@mail.gmail.com> <CAJ3w4NekPk0TuAZW_jmTDYQHd8JP3GsrA0qrKYrnyqSSk3qwxw@mail.gmail.com> <CAJE_bqc8hkrc3dYefTPWi-mUCtZD+oYsrobCK1KjmVGRnNfMCw@mail.gmail.com> <CAJ3w4NejrFAT3RK7i0W46HkQNJjhPxbhzQiL=3fcrceidTzHNQ@mail.gmail.com> <CAJE_bqcCwZWPHuZ0UR8_jyCUsaTrYKzLD8zUKwChYaCL06yT9A@mail.gmail.com> <CAJ3w4NfS8PKOMHcP5s_Nsp5K5eWJfXWRF-vNEau_ekqTRwE=wA@mail.gmail.com> <CAJE_bqfqSXFR9R5wf1USg-zs+nvdohQFq99kQL2DiapXvUdEqA@mail.gmail.com> <CAJ3w4Ncj40JwrW6UB+TVFvymByU5Y9iFv5QroWhwUzkLrS2DTg@mail.gmail.com> <CAJE_bqd38grUh9q57a-H29GsMx5Dpv9VE0iBMO7v_-y97zZZUg@mail.gmail.com> <CAJ3w4Ne63cnqoeTZk=PDmAN9+i6jwzyxbK+up45wB9h+xUDSfw@mail.gmail.com> <CAJE_bqceK7YLpMqhgjqrFQh7641a+ZRcnO0F6p6BiM8EMKmA7w@mail.gmail.com> <CAJ3w4Nf65b1zo-smMguZBc_-RbFh2y8kk7Fnu__TKCQEVbs48w@mail.gmail.com> <CAJE_bqeVciLxS_q=deRKLBr12ZGXxx2wdFiztJxJjfS7aAV2Ag@mail.gmail.com> <CAJ3w4NcvyeuRWJatGGH7U4g413GQvr9LHtDiX13zSOz7kBGEhw@mail.gmail.com> <CAJE_bqfFOhe26huAP8_BFKjnTXbG4F0vUfMYs5Xy=3RQigS7FA@mail.gmail.com>
From: Lishan Li <lilishan48@gmail.com>
Date: Fri, 25 Nov 2016 14:29:41 +0800
Message-ID: <CAJ3w4Ne81LVsaznu_yck7fG7iJyGm=WY4=i2AF8gx39Tf59eMA@mail.gmail.com>
To: 神明達哉 <jinmei@wide.ad.jp>
Content-Type: multipart/alternative; boundary="001a11454c6c4f117d05421a3f51"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/oQqhg5uvKum1AyZzqP9Tt5-SIrY>
Cc: "dhcwg@ietf.org" <dhcwg@ietf.org>
Subject: Re: [dhcwg] preliminary comments on draft-ietf-dhc-sedhcpv6-17
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Nov 2016 06:29:48 -0000

2016-11-24 3:39 GMT+08:00 神明達哉 <jinmei@wide.ad.jp>:

> At Wed, 23 Nov 2016 16:28:54 +0800,
> Lishan Li <lilishan48@gmail.com> wrote:
>
> > > - Introduce a new DHCPv6 option named "encryption key tag option".
> > >   Its value is calculated from public key data (it's essentially a
> > >   fingerprint of a specific public key).
> > > - Encryption Query messages MUST include the encryption key tag
> > >   option.  The option data MUST be calculated for the public key that
> > >   the client uses to encrypt the encapsulated DHCPv6 message.
> > >
> > [LS]: I agreed. I have two questions:
> > 1. How does the client calculate the key tag? Maybe the hash
> > function can be used for the calculation.
>
> Anything that would generate reasonably different values for different
> keys (but it doesn't have to be guaranteed) is fine.  A simple
> "checksum" like the RRSIG key tag would probably suffice; using a
> commonly known modern hash is also fine.
>
[LS]: So it is mostly a implementation problem and don't need to specify
it. Because for the algorithm agility, we defines the algorithm negotiation
mechanism between the client and server. So I the key tag generation
algorithm may also need negotiation mechanism. And then, the generation
algorithm should also be defined in our document.
Looking forward to your guidance.

> 2. For the first received Encrypted-Query message, how does the
> > server identifies the corresponding private key through the acknowledged
> > key tag?
> > one way is that: The server tries all the possible private key
> > and record the relation of key tag and the corresponding private key.
> > Another method is that: The server calculates the key tags of all the
> > private key and then finds the corresponding private key.
> > Looking forward to your further guidance.
>
> IMO this can be left to implementations.  But I expect most server
> implementations will calculate the tag value when it generates a key
> pair and maintain it with the key pair.  Note that if the server
> implementator and administrator don't care about the efficiency it
> could even calculate the tag value for its all public keys and compare
> it to the value specified in the "encryption key tag option".  Or it
> could even skip using the key tag and try all possible keys.  It's
> inefficient but will still work.
>
[LS]: Thanks a lot for your explanation. So we don't need to specify
this implementation problem in our document.

Best Regards,
Lishan

v2.23.0 | Report a Bug | By Email