IETF Logo Mail Archive

Re: [dhcwg] preliminary comments on draft-ietf-dhc-sedhcpv6-17

Lishan Li <lilishan48@gmail.com> Wed, 16 November 2016 12:17 UTC

Return-Path: <lilishan48@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1F89129784 for <dhcwg@ietfa.amsl.com>; Wed, 16 Nov 2016 04:17:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Level:
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6OFcsJW3r8xf for <dhcwg@ietfa.amsl.com>; Wed, 16 Nov 2016 04:17:42 -0800 (PST)
Received: from mail-qk0-x22b.google.com (mail-qk0-x22b.google.com [IPv6:2607:f8b0:400d:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE4B7129421 for <dhcwg@ietf.org>; Wed, 16 Nov 2016 04:17:41 -0800 (PST)
Received: by mail-qk0-x22b.google.com with SMTP id x190so172169334qkb.0 for <dhcwg@ietf.org>; Wed, 16 Nov 2016 04:17:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=z1nKbgQYHznCkqB/A9XkIxPpDtXwk8peflYh4pSkUpg=; b=hLpjEugk2zeCV3wLhM5uG/6yGgYwOB3INO7Etd6oNBNGqy9xmVdOcXKelRxsBUKQjQ OI6rFCjMoz8n+0a2rktBiIQfFabm6UMSopgjO8JdFqc3nDbik6amPpVJk2OSbQ9yesi4 erpHkAbe5ue3Cbnu8h53qJyk8vY+UP1RG/KU15kEYQ71oT+xpD4ZxWx69vT90zQd/JOX 0Jh2Gh9eCqeTjVygZ+Ggjc4ET4QZq8LEiu+eMg+ixdTxZcasxygldU59X+tliFXcVH3V 5dK898KJuTkUTPuMPfr44eQEmz9eR5U5n3vTPKhZoP23ZfZxAJjnMaEDlPEz6KCDjlSz P9BQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=z1nKbgQYHznCkqB/A9XkIxPpDtXwk8peflYh4pSkUpg=; b=P+G59kvlz7vKbSr3VefRKN3F6kEdSErFFl789+9+JxbGEIFA7NJXVQFDl1mS0SYe8U nE2HYGXJuFMfVmfPKDXTtVlDOEYhEbRdem+VWDYIPcXZudz7HeBWClalPiAMYK8HsjsN fCj0koTZIu2K1P8j+T43WP5k+65coy80BlFlpujkimUj29uTeoZHgUb4ZWYpDEW2ScOy t3Car5RtzKPs6QCGR17e1CKpI0jBTU1G5YXRRRlPSqdcyRtqPLCwqQ387tS3/Wr4WIh/ 1Upx09aWw7XZh9OhVuZ8cy4pKiw/1XBRCnyJka4w7c1HmcENnjhmpcLIiCVusEapUiyx Njzg==
X-Gm-Message-State: AKaTC02mQT5xqAODy/EKhagm9LLdvCAJh2qmZ6e7sbp5sKPulpuUyRfHxXe1H8uLxMcc4qcOsDIBuwr/D1TTFQ==
X-Received: by 10.55.17.68 with SMTP id b65mr2766842qkh.60.1479298661072; Wed, 16 Nov 2016 04:17:41 -0800 (PST)
MIME-Version: 1.0
Received: by 10.237.62.242 with HTTP; Wed, 16 Nov 2016 04:17:40 -0800 (PST)
In-Reply-To: <CAJE_bqcCwZWPHuZ0UR8_jyCUsaTrYKzLD8zUKwChYaCL06yT9A@mail.gmail.com>
References: <CAJE_bqebwr2WUUgaNgiYS4_8L77Gxj4Os+oPRG407B6ELMEhCQ@mail.gmail.com> <CAJ3w4Ndi5Gq63n5kZnanRhLM8nWE2wsWGh0kJJLJnq=VoXLuCg@mail.gmail.com> <CAJE_bqegh1DfWjfK2BxeC_fWa0cEk-KJNP0AT-TQuEa39w_wVQ@mail.gmail.com> <CAJ3w4NdM99nv4C19Xj=aosNme+_Ymyys=xQ3UWUfeZReZC4ckA@mail.gmail.com> <CAJE_bqdhGZnK16MooiyujDgthDNnR74EiwW0OevrN6uq4b4ANw@mail.gmail.com> <CAJE_bqfKUZe2yaW1sAq7rrib0M7wz28HHtPLqCHK=vXcN6amgg@mail.gmail.com> <CAJ3w4Nd3s+ZojjiotLkKwys6truhUgK6F-90UYjcpB9iw=fKKQ@mail.gmail.com> <m2r36nuqvn.wl%jinmei.tatuya@gmail.com> <CAJ3w4NeuNYTrX4p5rtZ6UceD5ydQ-B-vY6aqQzxWnXsrDOEFEA@mail.gmail.com> <CAJE_bqdh-bgk7BHZJnaFFBr3PDj4ZnSSGeGNdQ70F7dv91iQrA@mail.gmail.com> <CAJ3w4NfU9PrC9a+MGnJ=Es1yir_asHB3p1=9GfxZZ0iSe+At+Q@mail.gmail.com> <CAJE_bqfRBYkrniWQ+vtPULTURnvyV792QNGvr8JhhZpGQ0MSdA@mail.gmail.com> <CAJ3w4NerRzHYsRqcUAkAjHX23PYVF4Jv0wKcd33vXRRg+-0EAQ@mail.gmail.com> <CAJ3w4NekPk0TuAZW_jmTDYQHd8JP3GsrA0qrKYrnyqSSk3qwxw@mail.gmail.com> <CAJE_bqc8hkrc3dYefTPWi-mUCtZD+oYsrobCK1KjmVGRnNfMCw@mail.gmail.com> <CAJ3w4NejrFAT3RK7i0W46HkQNJjhPxbhzQiL=3fcrceidTzHNQ@mail.gmail.com> <CAJE_bqcCwZWPHuZ0UR8_jyCUsaTrYKzLD8zUKwChYaCL06yT9A@mail.gmail.com>
From: Lishan Li <lilishan48@gmail.com>
Date: Wed, 16 Nov 2016 20:17:40 +0800
Message-ID: <CAJ3w4NfS8PKOMHcP5s_Nsp5K5eWJfXWRF-vNEau_ekqTRwE=wA@mail.gmail.com>
To: 神明達哉 <jinmei@wide.ad.jp>
Content-Type: multipart/alternative; boundary="001a1146f10635dcff05416a0fb0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/t3h5B1_6fqHeE3b0W80iTu0c0U0>
Cc: "dhcwg@ietf.org" <dhcwg@ietf.org>
Subject: Re: [dhcwg] preliminary comments on draft-ietf-dhc-sedhcpv6-17
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Nov 2016 12:17:44 -0000

In the before, Bernie proposed the same question. And we made the following
consensus: The Encrypted-Query and Encrypted-Response message use the same
transaction-id with the before Information-request and Reply message.

2016-11-16 2:01 GMT+08:00 神明達哉 <jinmei@wide.ad.jp>:

> At Tue, 15 Nov 2016 15:27:46 +0800,
> Lishan Li <lilishan48@gmail.com> wrote:
>
> > > BTW this makes me notice one related issue: it doesn't seem to be
> > > possible for a server to identify the private key to decrypt the
> > > message contained in an Encrypted-message Option contained in the
> > > Encrypted-Query message unless it tries all private keys it might be
> > > used.
> > >
> > [LS]: The private key which is corresponding to the public key for
> > encryption
> > algorithm is used for decryption. After sending the Reply message, the
> > message
> > transaction-id is used as the identifier of the private key for
> decryption.
>
> Can you be more specific about this?  For example, assume the client
> tries to send a Solicit message encrypting it with a server's public
> key (and assume the server supports multiple algorithms and multiple
> key pairs).  The encrypted solicit message that the server receives
> would look like this:
>
> msg-type: Encrypted-Query
> transaction-id: some random number the client generates on building
>   the Encrypted-Query (per Section 15.1 of RFC3315 or 16.1 of
>   rfc3315bis-06).
>
[LS]: So, in this sample, the transaction-id is not some random number, but
the same content with the transaction-id in Information-request and reply
message.

> options:
>   Encrypted-message option:
>     option-code: OPTION_ENCRYPTED_MSG
>     option-len: set appropriately
>     encrypted DHCPv6 message: opaque data to be decrypted
>
> Do you mean the server can use the transaction-id included in the
> Encrypted-Query message to identify the algorithm and the private key
> to decrypt "encrypted DHCPv6 message"?  If so, specifically how?  As
> noted above the transaction-id value is chosen by the client at the
> time of generating this message and the server cannot know or
> (easily) predict it in advance.
>

Best Regards,
Lishan

v2.23.0 | Report a Bug | By Email