Re: [DNSOP] [dnsext] We want to have fruitful discussions - please review

"Hosnieh Rafiee" <ietf@rozanak.com> Mon, 03 March 2014 09:23 UTC

Return-Path: <ietf@rozanak.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D05D1A0BFF; Mon, 3 Mar 2014 01:23:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.147
X-Spam-Level:
X-Spam-Status: No, score=-2.147 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.547] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6x3N8UxOWKFt; Mon, 3 Mar 2014 01:23:42 -0800 (PST)
Received: from mail.rozanak.com (mail.rozanak.com [IPv6:2a01:238:42ad:1500:aa19:4238:e48f:61cf]) by ietfa.amsl.com (Postfix) with ESMTP id 8579F1A0C25; Mon, 3 Mar 2014 01:23:42 -0800 (PST)
Received: from localhost (unknown [127.0.0.1]) by mail.rozanak.com (Postfix) with ESMTP id 5E3E023E2D59; Mon, 3 Mar 2014 09:23:39 +0000 (UTC)
X-Virus-Scanned: amavisd-new at rozanak.com
Received: from mail.rozanak.com ([127.0.0.1]) by localhost (mail.iknowlaws.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id alDQhln6cjS1; Mon, 3 Mar 2014 10:23:37 +0100 (CET)
Received: from kopoli (g226063187.adsl.alicedsl.de [92.226.63.187]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.rozanak.com (Postfix) with ESMTPSA id 9995723E2D58; Mon, 3 Mar 2014 10:23:37 +0100 (CET)
From: "Hosnieh Rafiee" <ietf@rozanak.com>
To: =?gb2312?B?J8nxw/ffX9TVJw==?= <jinmei@wide.ad.jp>
References: <002101cf3495$1ad2d570$50788050$@rozanak.com> <CAJE_bqdFknJ7Dy9QUJaQUj9Ca40TM0jWCfGNNyUSEkF5d39Rqw@mail.gmail.com> <004601cf36c0$ec06e7d0$c414b770$@rozanak.com>
In-Reply-To: <004601cf36c0$ec06e7d0$c414b770$@rozanak.com>
Date: Mon, 3 Mar 2014 10:23:36 +0100
Message-ID: <004701cf36c2$416a13e0$c43e3ba0$@rozanak.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="gb2312"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQFEEoOGM85KTJERR1lopDpQwQOweAERl5LnAgHd3GybzMIYUA==
Content-Language: en-us
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/t6rWFG_Yv2_guJwv35TQ1ywuIvI
Cc: 'dnsop' <DNSOP@ietf.org>, 'DNSEXT Group Working' <dnsext@ietf.org>
Subject: Re: [DNSOP] [dnsext] We want to have fruitful discussions - please review
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Mar 2014 09:23:44 -0000

Follow up,

The good thing about CGA-TSIG or using CGA or SSAS as the algorithm is that,
if you only know the IP address (set it manually for the first time or can
receive it from a secure way like you can trust your router). Then no need
for any check on the public key since there is binding between this public
key and the IP address. Not sure the chairs uploaded the slides. If so you
can find the scenarios there as well.

Thanks,
Hosnieh

 
> Thanks for your question and review.
> 
> > > [...] For DNS resolver, it
> > > receives this IP address securely via the option in the router
> > > advertisement message.
> >
> > So, the security of this approach relies on how securely the client
> > can
> get the
> > resolver's address, e.g.,
> > - Using SEND for RAs with RFC 6106
> > - (If and when it's defined) Using public-key based DHCPv6
> >   authentication
> > And, to make this part secure, the client needs to get the router's
> certification
> > or the server's public key securely beforehand.
> >
> > Is my understanding correct?
> 
> To some extend correct but not but it is not bound to that option. One
> example is where you are in untrusted network like a Café. We assume that
> you cannot trust your router or the router does not support SeND and you
> really want to ensure that MITM attack will not happen during browsing any
> websites (like your bank or etc) then you can always set an IP address of
a
> trusted resolver yourself. One example can be the use of an IP address of
the
> google resolver or any other resolver that supports cga-tsig (it can be
your
> home resolver as well). Your node can verify that using CGA/or SSAS
> algorithm.
> 
> I hope I could answer your question.
> Smile,
> Hosnieh
> 
> 
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop