IETF Logo Mail Archive

Re: [dhcwg] preliminary comments on draft-ietf-dhc-sedhcpv6-17

神明達哉 <jinmei@wide.ad.jp> Tue, 22 November 2016 17:53 UTC

Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BADB7129AC5 for <dhcwg@ietfa.amsl.com>; Tue, 22 Nov 2016 09:53:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.4
X-Spam-Level:
X-Spam-Status: No, score=-2.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UxFzMaM_eu6L for <dhcwg@ietfa.amsl.com>; Tue, 22 Nov 2016 09:53:46 -0800 (PST)
Received: from mail-qt0-x22e.google.com (mail-qt0-x22e.google.com [IPv6:2607:f8b0:400d:c0d::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 36A89129AC0 for <dhcwg@ietf.org>; Tue, 22 Nov 2016 09:53:32 -0800 (PST)
Received: by mail-qt0-x22e.google.com with SMTP id c47so17176148qtc.2 for <dhcwg@ietf.org>; Tue, 22 Nov 2016 09:53:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=6q1E1nIWp4exiuytaODzmH5JjJS0XMVV/WQN1/cppzM=; b=az735B1YGKmP7uVxCoOkCPzZos4+WwTnuotE9tX/8vOgOVsA8zL2MuIAszyCkRSIQe k3UnvFRWJcZS7sT0IwIYo8YGcLWPt/PpbSNSYcYbeljLog3xL7UOxiJB65SPBJn1rUxn 3a7stzu09Sq+MyN72qwYOVLM4SErdAnc+nfKBTg1bsHB/eF6obtG6cgCFE+YrnWQwzq9 a1+hUDb7yskWh43Iac4Zc3yJWOO5syoOMRbHzIKMn/n5lZGay6fs8t7zoIwezVGRX837 k1g9kIg/AvJe/8KocSKwQVD2uh3hGNeCUIXno9tYVDcclNRtebwyLnFq7ZGhe0j/x9/y ywXA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=6q1E1nIWp4exiuytaODzmH5JjJS0XMVV/WQN1/cppzM=; b=W2fPtlIJ64Bw10F4oRAUas5eMYeZquwLxbYfxS59H5LV4fm7fG2bdjAyu6ms6wjBz1 tjZBxL7ESqgTabWPjnekqn6US9bxZUxtnnIB3EEbRT2Kt3b2Zt0nBKsAi3w4kjnA77k/ 1Oc4gkhniunScm0HvlLpcbiQMxQO23PVi5+vNkTn0lAKBRTFTsSjo5X30nPSIBhBuL1S 0lDJLwmEcu7DzMZhpHuyKJs/VXUrQO+u2YfLExbdRR3YvQ0avTKWKJ0fTFG5wyce1pfh l2Il+3Ka0lUNHat9l1PjWuRKTcccVCCLOSkUa/3TB+wsu0cQvdq8H0QmRJy5v2sredLq MGeA==
X-Gm-Message-State: AKaTC02bnzy1EbkbF88crKIMSx22ckYmHnO588n9OsMVpq5i4+SKpHuygq6CaZYDWjgC0hpSFzfELNmZCiajSg==
X-Received: by 10.200.46.249 with SMTP id i54mr12719799qta.13.1479837211281; Tue, 22 Nov 2016 09:53:31 -0800 (PST)
MIME-Version: 1.0
Sender: jinmei.tatuya@gmail.com
Received: by 10.237.53.155 with HTTP; Tue, 22 Nov 2016 09:53:30 -0800 (PST)
In-Reply-To: <CAJ3w4Nf65b1zo-smMguZBc_-RbFh2y8kk7Fnu__TKCQEVbs48w@mail.gmail.com>
References: <CAJE_bqebwr2WUUgaNgiYS4_8L77Gxj4Os+oPRG407B6ELMEhCQ@mail.gmail.com> <CAJ3w4Ndi5Gq63n5kZnanRhLM8nWE2wsWGh0kJJLJnq=VoXLuCg@mail.gmail.com> <CAJE_bqegh1DfWjfK2BxeC_fWa0cEk-KJNP0AT-TQuEa39w_wVQ@mail.gmail.com> <CAJ3w4NdM99nv4C19Xj=aosNme+_Ymyys=xQ3UWUfeZReZC4ckA@mail.gmail.com> <CAJE_bqdhGZnK16MooiyujDgthDNnR74EiwW0OevrN6uq4b4ANw@mail.gmail.com> <CAJE_bqfKUZe2yaW1sAq7rrib0M7wz28HHtPLqCHK=vXcN6amgg@mail.gmail.com> <CAJ3w4Nd3s+ZojjiotLkKwys6truhUgK6F-90UYjcpB9iw=fKKQ@mail.gmail.com> <m2r36nuqvn.wl%jinmei.tatuya@gmail.com> <CAJ3w4NeuNYTrX4p5rtZ6UceD5ydQ-B-vY6aqQzxWnXsrDOEFEA@mail.gmail.com> <CAJE_bqdh-bgk7BHZJnaFFBr3PDj4ZnSSGeGNdQ70F7dv91iQrA@mail.gmail.com> <CAJ3w4NfU9PrC9a+MGnJ=Es1yir_asHB3p1=9GfxZZ0iSe+At+Q@mail.gmail.com> <CAJE_bqfRBYkrniWQ+vtPULTURnvyV792QNGvr8JhhZpGQ0MSdA@mail.gmail.com> <CAJ3w4NerRzHYsRqcUAkAjHX23PYVF4Jv0wKcd33vXRRg+-0EAQ@mail.gmail.com> <CAJ3w4NekPk0TuAZW_jmTDYQHd8JP3GsrA0qrKYrnyqSSk3qwxw@mail.gmail.com> <CAJE_bqc8hkrc3dYefTPWi-mUCtZD+oYsrobCK1KjmVGRnNfMCw@mail.gmail.com> <CAJ3w4NejrFAT3RK7i0W46HkQNJjhPxbhzQiL=3fcrceidTzHNQ@mail.gmail.com> <CAJE_bqcCwZWPHuZ0UR8_jyCUsaTrYKzLD8zUKwChYaCL06yT9A@mail.gmail.com> <CAJ3w4NfS8PKOMHcP5s_Nsp5K5eWJfXWRF-vNEau_ekqTRwE=wA@mail.gmail.com> <CAJE_bqfqSXFR9R5wf1USg-zs+nvdohQFq99kQL2DiapXvUdEqA@mail.gmail.com> <CAJ3w4Ncj40JwrW6UB+TVFvymByU5Y9iFv5QroWhwUzkLrS2DTg@mail.gmail.com> <CAJE_bqd38grUh9q57a-H29GsMx5Dpv9VE0iBMO7v_-y97zZZUg@mail.gmail.com> <CAJ3w4Ne63cnqoeTZk=PDmAN9+i6jwzyxbK+up45wB9h+xUDSfw@mail.gmail.com> <CAJE_bqceK7YLpMqhgjqrFQh7641a+ZRcnO0F6p6BiM8EMKmA7w@mail.gmail.com> <CAJ3w4Nf65b1zo-smMguZBc_-RbFh2y8kk7Fnu__TKCQEVbs48w@mail.gmail.com>
From: 神明達哉 <jinmei@wide.ad.jp>
Date: Tue, 22 Nov 2016 09:53:30 -0800
X-Google-Sender-Auth: B5aLweKN9fPcJyuHqrL_hwWfcrQ
Message-ID: <CAJE_bqeVciLxS_q=deRKLBr12ZGXxx2wdFiztJxJjfS7aAV2Ag@mail.gmail.com>
To: Lishan Li <lilishan48@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/ze0osaliLLF_dMcd9oH-9NTiMK8>
Cc: "dhcwg@ietf.org" <dhcwg@ietf.org>
Subject: Re: [dhcwg] preliminary comments on draft-ietf-dhc-sedhcpv6-17
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Nov 2016 17:53:48 -0000

At Sun, 20 Nov 2016 01:11:18 +0800,
Lishan Li <lilishan48@gmail.com> wrote:

> > My understanding of where we are is that we now agree that as of
> > sedhcpv6-17 the server can't efficiently identify the private key to
> > decrypt a message in an Encrypted-Query message.
> >
> > I can think of two possible next steps from here:
> > 1. leave the inefficiency: let the server try all possible private
> >    keys until it can decrypt the message or conclude no key works.
>
> 2. introduce some kind of concept of "key ID" (or "key tag", in which
> >    case 100% uniqueness isn't required) and have the client include it
> >    in Encrypted-Query messages.
> >
> [LS]: I don't know why in this case, 100% uniqueness isn't required.
> Key id is used as the identifier of the private key, can the two private
> key (two clients) uses the same key id?

Because it's basically for making the key identification more
efficient.  It's similar to the key tag field of DNS RRSIG RDATA
(see RFC4034 Section 3.1).

> > I personally prefer option #2, but in that case I don't like to
> > overload the existing transaction-id field for this purpose.
> >
> [LS]: The standard DHCPv6 message format contains the
> transaction-id. If the transaction-id is not contained, then the
> message is not DHCPv6 message. Transaction-id field's size
> is very small.
> In the before presentation, we have showed that Encrypted-Query
> and Encrypted-Response messages are DHCPv6 messages.
> And no one proposed any problem. And I also think that
> there is no problem. If you insist on your opinion, please
> states the caused problem and modify the draft. I don't
> have any comment on this.

I didn't propose removing transaction-id.  I just pointed out that
your proposal (if I understood it) made it something actually
different from transaction-id.  I don't know whether we need to have a
discussion why "naming something that is not a transaction ID a
transaction-id is a problem", but if we can simply go to a discussion
on what we should actually do, my suggestion is:

- Introduce a new DHCPv6 option named "encryption key tag option".
  Its value is calculated from public key data (it's essentially a
  fingerprint of a specific public key).
- Encryption Query messages MUST include the encryption key tag
  option.  The option data MUST be calculated for the public key that
  the client uses to encrypt the encapsulated DHCPv6 message.

--
JINMEI, Tatuya

v2.23.0 | Report a Bug | By Email