Re: [dhcwg] Fwd: New Version Notification for draft-li-dhc-secure-dhcpv6-deployment-01.txt
Lishan Li <lilishan48@gmail.com> Thu, 29 October 2015 13:28 UTC
Return-Path: <lilishan48@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3F391A6FDA for <dhcwg@ietfa.amsl.com>; Thu, 29 Oct 2015 06:28:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.449
X-Spam-Level:
X-Spam-Status: No, score=-1.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id duR4Z5J4Gah1 for <dhcwg@ietfa.amsl.com>; Thu, 29 Oct 2015 06:28:05 -0700 (PDT)
Received: from mail-lb0-x232.google.com (mail-lb0-x232.google.com [IPv6:2a00:1450:4010:c04::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD7101A6FD2 for <dhcwg@ietf.org>; Thu, 29 Oct 2015 06:28:04 -0700 (PDT)
Received: by lbbwb3 with SMTP id wb3so28442350lbb.1 for <dhcwg@ietf.org>; Thu, 29 Oct 2015 06:28:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:cc:content-type; bh=bkzQAwBclwmVimD0V/o9a5xRJIoTaUP68QhbC2lAhN4=; b=wgY/t0y5tly7Z+q0doxwt2sHW4yXf8/RAvNp4Mm/AytRgrr8Hebzv3NGGTXwKHToSy jspyE8BBWiUyGzuyQJwbomxIfcdKI/TghsJmFgzxnE4YZz/DFwPApyfHasY7T8ddHqi2 vlgcqXf1kDuycYV8qbrI54uMtkmUP8KeW5tlY2LtfSEt+Sdf5xjXsdK+ERGGhSrArpNI G9fWqM+sG9bjMvw4AagpoyOIzKx3zxVbYEiow4Ij2RdL1hxWNJCZiQV+Z8jyKdCYuOPb f0KvOjzPZQNoUbyWx6TyavKvJzQtQQky0sjWgI9rYVaeC+IbnwhGSSeJJJzxB7N76BE7 mwkQ==
MIME-Version: 1.0
X-Received: by 10.112.149.97 with SMTP id tz1mr981544lbb.57.1446125283070; Thu, 29 Oct 2015 06:28:03 -0700 (PDT)
Received: by 10.114.199.176 with HTTP; Thu, 29 Oct 2015 06:28:03 -0700 (PDT)
Date: Thu, 29 Oct 2015 21:28:03 +0800
Message-ID: <CAJ3w4NdUXQPG_+U5c5zJNVdyozOGFWD7RgeXp0V6ELLMfAoabw@mail.gmail.com>
From: Lishan Li <lilishan48@gmail.com>
To: 神明達哉 <jinmei@wide.ad.jp>
Content-Type: multipart/alternative; boundary="047d7b3a87f6cc5dc005233e475d"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dhcwg/zwNPbCxIX8fpNTd5_kZfIMuHApo>
Cc: dhcwg <dhcwg@ietf.org>
Subject: Re: [dhcwg] Fwd: New Version Notification for draft-li-dhc-secure-dhcpv6-deployment-01.txt
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Oct 2015 13:28:06 -0000
Dear Jinmei, Sorry for not correct your raised problem in the current version. I rethink the problem, and the following is my humble opinions. For the scenario that client is roaming and also want to ensure safety, such as public coffee room and enterprises that allows BYOD, the server's certificate can be obtained out of band, such as the QR code in some place. There is also "install this app from the store using 3G/4G then you can get on our wifi", the server's certificate is obtained through the 3G/4G network. According to your another email. I think there are some scenarios for the use of TOFU: 1. the initial setup home network or some temporary network that for a few days or sporadically. In such scenario, It would not be expected that the network developer have asked permission from CA before setting up the network. 2. A weak form of mitigation against DHCPv6 session hijacking. Looking forward to your further guidance. Best Regards, Lishan 2015-10-29 2:20 GMT+08:00 神明達哉 <jinmei@wide.ad.jp>: > At Sat, 24 Oct 2015 22:39:09 +0800, > Lishan Li <lilishan48@gmail.com> wrote: > > > We have submitted a new version of the > > draft-li-dhc-secure-dhcpv6-deployment-01. Thanks very > > much for the constructive comments from Sheng Jiang and Jinmei. > > In this version, we have mainly made the following change: > > 1. restructure the document to clearly describe the mechanism; > > 2. emphasize the secure DHCPv6 mechanisms deployment difficulties; > > 3. correct some grammar mistakes and improper expressions. > > Just from a very quick scan, it has the same issue I raised for the > previous version: > > TOFU plays a role in the scenario where the DHCPv6 client is mobile > and connects to random networks. > > Referring to "random networks" in the case for TOFU (for > authentication) will be controversial at best, and IMHO even > problematic; not using the term "coffee shop" doesn't address the main > point. There might be a minor niche where this combination makes > sense, but that will require more detailed discussions on the > underlying assumptions. Perhaps your primary focus is to use TOFU > mainly for encryption rather than authentication? If so, it would be > better to clarify the intent and discuss it accordingly. > > -- > JINMEI, Tatuya >