Re: [Hipsec] Fwd: Status of WG items
Ari Keranen <ari.keranen@nomadiclab.com> Fri, 14 December 2012 13:14 UTC
Return-Path: <ari.keranen@nomadiclab.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8DB021F873C for <hipsec@ietfa.amsl.com>; Fri, 14 Dec 2012 05:14:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z2pfTrafnjP2 for <hipsec@ietfa.amsl.com>; Fri, 14 Dec 2012 05:14:56 -0800 (PST)
Received: from gw.nomadiclab.com (unknown [IPv6:2001:14b8:400:101::2]) by ietfa.amsl.com (Postfix) with ESMTP id E46B121F86C3 for <hipsec@ietf.org>; Fri, 14 Dec 2012 05:14:55 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by gw.nomadiclab.com (Postfix) with ESMTP id 3C6744E6EF; Fri, 14 Dec 2012 15:14:55 +0200 (EET)
X-Virus-Scanned: amavisd-new at nomadiclab.com
Received: from gw.nomadiclab.com ([127.0.0.1]) by localhost (inside.nomadiclab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 61kqdg3slSOM; Fri, 14 Dec 2012 15:14:51 +0200 (EET)
Received: from tri62.nomadiclab.com (localhost [IPv6:::1]) by gw.nomadiclab.com (Postfix) with ESMTPSA id 2B2D24E6EC; Fri, 14 Dec 2012 15:14:51 +0200 (EET)
Message-ID: <50CB264A.7030403@nomadiclab.com>
Date: Fri, 14 Dec 2012 15:14:50 +0200
From: Ari Keranen <ari.keranen@nomadiclab.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:14.0) Gecko/20120713 Thunderbird/14.0
MIME-Version: 1.0
To: hipsec@ietf.org
References: <4FE96F9F.3090800@ericsson.com> <758141CC3D829043A8C3164DD3D593EA1BD324E110@XCH-NW-16V.nw.nos.boeing.com> <4FEA1876.900@cs.rwth-aachen.de> <CAE_dhjveQ6WVVE3BVKk2txfBxNhfWvjbz+QVU2P919dNZ1WO4A@mail.gmail.com> <5012C05B.6080203@nomadiclab.com> <CAE_dhjufW+ic-VaBtqs787jK=xxy_XxnegpgGEtmpjZHsmJ4nA@mail.gmail.com> <505C213F.6050701@ericsson.com> <CAE_dhjv8LRwurQ9QmCmh6Spa+1UuECk1farGAKf_o9gYVsy_Lg@mail.gmail.com> <CAE_dhjsUXVwY8vXNLCwUjXPV9SxHTDbhk4dCt+ffQuQN=a6CMw@mail.gmail.com> <50615C93.6090300@ericsson.com> <5080010B.7030605@cs.hut.fi>
In-Reply-To: <5080010B.7030605@cs.hut.fi>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [Hipsec] Fwd: Status of WG items
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Dec 2012 13:14:57 -0000
Or we can do this. However, I would not be too concerned for the CERT draft blocking the reg draft given that the CERT draft should not require much (any?) changes for STD track. Of course that would need someone driving that work too. If there's not enough interest for that work (I think it's important but don't have the cycles to do it myself), it makes sense to go forward as proposed below. Cheers, Ari On 10/18/12 4:15 PM, Miika Komu wrote: > Hi Julien, > > your suggestion sounds fine. > > On 09/25/2012 10:26 AM, Gonzalo Camarillo wrote: >> Hi, >> >> if we have the appropriate hooks in the main specs, we could do as you >> suggest. I would be interested in hearing more opinions, though. >> >> Cheers, >> >> Gonzalo >> >> On 24/09/2012 5:48 PM, Julien Laganier wrote: >>> Hi Gonzalo, all, >>> >>> So if we include in the registration a dependency towards the standard >>> tracks HIP certificates draft (that doesn't exist yet) we would be >>> tying the two together such that the registration can't be published >>> before the HIP certificate RFC is. >>> >>> An alternative would be to move ahead with the current registration >>> draft without specific dependency on HIP certificates but leaving the >>> door open for these to be used once they are defined in standard >>> track; the current draft and RFC already have hooks for authentication >>> means beyond HIT authentication: >>> >>> >>> In particular, >>> REG_FAILED with a failure type of zero indicates the service(s) >>> type(s) that require further credentials for registration. >>> >>> If the registrar requires further authorization and the requester >>> has >>> additional credentials available, the requester SHOULD try to >>> register again with the service after the HIP association has been >>> established. The precise means of establishing and verifying >>> credentials are beyond the scope of this document and are >>> expected to >>> be defined in other documents. >>> >>> Would that be an appropriate way forward? >>> >>> --julien >>> >>> On Fri, Sep 21, 2012 at 1:11 AM, Gonzalo Camarillo >>> <Gonzalo.Camarillo@ericsson.com> wrote: >>>> Hi Julien, >>>> >>>> my take on this is that we need to produce a standards-track document >>>> specifying exactly that. This is what our charter says about it: >>>> >>>> https://datatracker.ietf.org/wg/hip/charter/ >>>> >>>>> o Specify in a standards track RFC how to carry certificates in the >>>>> base exchange. This was removed from the base HIP spec so that the >>>>> mechanism is specified in a stand-alone spec. >>>> >>>> Cheers, >>>> >>>> Gonzalo >>>> >>>> On 21/09/2012 2:49 AM, Julien Laganier wrote: >>>>> On Fri, Jul 27, 2012 at 9:22 AM, Ari Keranen >>>>> <ari.keranen@nomadiclab.com> wrote: >>>>>> Hi Julien, >>>>>> >>>>>> >>>>>> On 7/6/12 3:37 AM, Julien Laganier wrote: >>>>>>> >>>>>>> - 5203bis (registration) can IMHO be republished as is as I haven't >>>>>>> seen any issue with the original version. If people agree I could >>>>>>> republish it and we could WGLC it... >>>>>> >>>>>> >>>>>> I posted some comments about 5203bis earlier this year but back >>>>>> then there >>>>>> was no discussion regarding them. So, here goes again. >>>>>> >>>>>> Some of these have been discussed also earlier on this list (these >>>>>> relate to >>>>>> requirements discovered with the native NAT traversal draft [1]), >>>>>> but I'll >>>>>> have them all here for easier reference. >>>>>> >>>>>> Currently, the registrar has no way of indicating that it would >>>>>> otherwise >>>>>> accept the registration, but it's currently running low on >>>>>> resources. For >>>>>> this purpose, a failure type "Insufficient resources" could be >>>>>> added to the >>>>>> "registration failure types". >>>>>> >>>>>> Registration using authentication with certificates could be part >>>>>> of the >>>>>> registration RFC. Currently, only authentication with HI is >>>>>> defined, but >>>>>> knowing all HIs beforehand is not practical in many cases. >>>>>> >>>>>> Text in section 3.2. of [1] could be used as a basis for this >>>>>> (just replace >>>>>> "HIP' data relay" with "registrar"). Also, if this authentication >>>>>> mode is >>>>>> added to the draft, failure type "Invalid certificate" should be >>>>>> added for >>>>>> the failure case. >>>>>> >>>>>> Should we have these in the registration draft? >>>>>> >>>>>> [1] http://tools.ietf.org/html/draft-ietf-hip-native-nat-traversal >>>>> >>>>> I was going to shamelessly copy/paste section 3.2 of [1] in the >>>>> registration draft but I noticed that [1] actually has a normative >>>>> dependency on RFC 6253 "Host Identity Protocol Certificates" which is >>>>> Experimental. Thus adding the support for certificates to a standard >>>>> track HIP registration would cause a so-called downref which could be >>>>> problematic... >>>>> >>>>> Gonzalo - what is your take on this? >>>>> >>>>> --julien >>>>> >>>> >>> >>> >> >> _______________________________________________ >> Hipsec mailing list >> Hipsec@ietf.org >> https://www.ietf.org/mailman/listinfo/hipsec >> > > _______________________________________________ > Hipsec mailing list > Hipsec@ietf.org > https://www.ietf.org/mailman/listinfo/hipsec
- [Hipsec] Status of WG items Gonzalo Camarillo
- Re: [Hipsec] Status of WG items Henderson, Thomas R
- Re: [Hipsec] Status of WG items Tobias Heer
- Re: [Hipsec] Status of WG items Gonzalo Camarillo
- Re: [Hipsec] Status of WG items Julien Laganier
- Re: [Hipsec] Status of WG items Henderson, Thomas R
- Re: [Hipsec] Status of WG items Ari Keranen
- Re: [Hipsec] Status of WG items Robert Moskowitz
- Re: [Hipsec] Status of WG items Ari Keranen
- Re: [Hipsec] Status of WG items Gonzalo Camarillo
- Re: [Hipsec] Status of WG items Julien Laganier
- Re: [Hipsec] Status of WG items Ari Keranen
- Re: [Hipsec] Status of WG items Julien Laganier
- Re: [Hipsec] Status of WG items Gonzalo Camarillo
- Re: [Hipsec] Status of WG items Julien Laganier
- Re: [Hipsec] Status of WG items Henderson, Thomas R
- Re: [Hipsec] Status of WG items Miika Komu
- [Hipsec] Fwd: Status of WG items Julien Laganier
- Re: [Hipsec] Fwd: Status of WG items Gonzalo Camarillo
- Re: [Hipsec] Fwd: Status of WG items Miika Komu
- Re: [Hipsec] Status of WG items Ari Keranen
- Re: [Hipsec] Fwd: Status of WG items Ari Keranen
- Re: [Hipsec] Fwd: Status of WG items Henderson, Thomas R
- Re: [Hipsec] Fwd: Status of WG items Miika Komu
- Re: [Hipsec] Fwd: Status of WG items Samu Varjonen
- Re: [Hipsec] Fwd: Status of WG items Ari Keranen