IETF Logo Mail Archive

Re: [Hipsec] Fwd: Status of WG items

Gonzalo Camarillo <Gonzalo.Camarillo@ericsson.com> Tue, 25 September 2012 07:26 UTC

Return-Path: <gonzalo.camarillo@ericsson.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDF3F21F890F for <hipsec@ietfa.amsl.com>; Tue, 25 Sep 2012 00:26:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.23
X-Spam-Level:
X-Spam-Status: No, score=-106.23 tagged_above=-999 required=5 tests=[AWL=0.019, BAYES_00=-2.599, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aS90K9M9BdEi for <hipsec@ietfa.amsl.com>; Tue, 25 Sep 2012 00:26:15 -0700 (PDT)
Received: from mailgw1.ericsson.se (mailgw1.ericsson.se [193.180.251.45]) by ietfa.amsl.com (Postfix) with ESMTP id 67D6D21F890C for <hipsec@ietf.org>; Tue, 25 Sep 2012 00:26:14 -0700 (PDT)
X-AuditID: c1b4fb2d-b7fea6d000002ccb-92-50615c943613
Received: from esessmw0184.eemea.ericsson.se (Unknown_Domain [153.88.253.125]) by mailgw1.ericsson.se (Symantec Mail Security) with SMTP id B9.5E.11467.49C51605; Tue, 25 Sep 2012 09:26:12 +0200 (CEST)
Received: from [131.160.36.30] (153.88.115.8) by esessmw0184.eemea.ericsson.se (153.88.115.82) with Microsoft SMTP Server id 8.3.264.1; Tue, 25 Sep 2012 09:26:12 +0200
Message-ID: <50615C93.6090300@ericsson.com>
Date: Tue, 25 Sep 2012 10:26:11 +0300
From: Gonzalo Camarillo <Gonzalo.Camarillo@ericsson.com>
User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:15.0) Gecko/20120907 Thunderbird/15.0.1
MIME-Version: 1.0
To: Julien Laganier <julien.ietf@gmail.com>
References: <4FE96F9F.3090800@ericsson.com> <758141CC3D829043A8C3164DD3D593EA1BD324E110@XCH-NW-16V.nw.nos.boeing.com> <4FEA1876.900@cs.rwth-aachen.de> <CAE_dhjveQ6WVVE3BVKk2txfBxNhfWvjbz+QVU2P919dNZ1WO4A@mail.gmail.com> <5012C05B.6080203@nomadiclab.com> <CAE_dhjufW+ic-VaBtqs787jK=xxy_XxnegpgGEtmpjZHsmJ4nA@mail.gmail.com> <505C213F.6050701@ericsson.com> <CAE_dhjv8LRwurQ9QmCmh6Spa+1UuECk1farGAKf_o9gYVsy_Lg@mail.gmail.com> <CAE_dhjsUXVwY8vXNLCwUjXPV9SxHTDbhk4dCt+ffQuQN=a6CMw@mail.gmail.com>
In-Reply-To: <CAE_dhjsUXVwY8vXNLCwUjXPV9SxHTDbhk4dCt+ffQuQN=a6CMw@mail.gmail.com>
X-Enigmail-Version: 1.4.4
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrGLMWRmVeSWpSXmKPExsUyM+Jvre6UmMQAg33TVSza3vxis5i6aDKz xZej05gdmD12zrrL7rFkyU8mj85F0QHMUVw2Kak5mWWpRfp2CVwZi5f2sxW8UqiY/e0bYwPj fKkuRk4OCQETiY53DYwQtpjEhXvr2boYuTiEBE4xSlw4cp8VwlnNKLH4+jsmkCpeAW2JW3+v gNksAqoST3pPg9lsAhYSW27dZwGxRQWCJc5t3MYGUS8ocXLmE7C4CFDvqUkNYDazgLPEvr0/ 2UFsYQFdiUOn7zKD2EICb5glJn4UAbE5BQIlls6YwgxxnaTEm8k3oXr1JKZcbWGEsOUltr+d A9WrLbH8WQvLBEahWUhWz0LSMgtJywJG5lWMwrmJmTnp5YZ6qUWZycXF+Xl6xambGIFhfXDL b90djKfOiRxilOZgURLn5Ura7y8kkJ5YkpqdmlqQWhRfVJqTWnyIkYmDU6qBMfvnzv1/XoRr C9vEc7YlXDDvzXCbtuqRl71Wu6ZXj+7L8vN7bPb7CLzsUeY63yH8TbpF/tfUM/73b8oW7Gya cZth67tfV34Ibtt2VdL/u4zChAfHG88/zJzHvueo/9I1cz3t07WeRNSd1OIS0JxUW3u2on/B Tf2DovPDpoffsdC10njEuHCqtxJLcUaioRZzUXEiAKXv24g5AgAA
Cc: HIP <hipsec@ietf.org>
Subject: Re: [Hipsec] Fwd: Status of WG items
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Sep 2012 07:26:15 -0000

Hi,

if we have the appropriate hooks in the main specs, we could do as you
suggest. I would be interested in hearing more opinions, though.

Cheers,

Gonzalo

On 24/09/2012 5:48 PM, Julien Laganier wrote:
> Hi Gonzalo, all,
> 
> So if we include in the registration a dependency towards the standard
> tracks HIP certificates draft (that doesn't exist yet) we would be
> tying the two together such that the registration can't be published
> before the HIP certificate RFC is.
> 
> An alternative would be to move ahead with the current registration
> draft without specific dependency on HIP certificates but leaving the
> door open for these to be used once they are defined in standard
> track; the current draft and RFC already have hooks for authentication
> means beyond HIT authentication:
> 
> 
>                    In particular,
>    REG_FAILED with a failure type of zero indicates the service(s)
>    type(s) that require further credentials for registration.
> 
>    If the registrar requires further authorization and the requester has
>    additional credentials available, the requester SHOULD try to
>    register again with the service after the HIP association has been
>    established.  The precise means of establishing and verifying
>    credentials are beyond the scope of this document and are expected to
>    be defined in other documents.
> 
> Would that be an appropriate way forward?
> 
> --julien
> 
> On Fri, Sep 21, 2012 at 1:11 AM, Gonzalo Camarillo
> <Gonzalo.Camarillo@ericsson.com> wrote:
>> Hi Julien,
>>
>> my take on this is that we need to produce a standards-track document
>> specifying exactly that. This is what our charter says about it:
>>
>> https://datatracker.ietf.org/wg/hip/charter/
>>
>>> o Specify in a standards track RFC how to carry certificates in the
>>> base exchange. This was removed from the base HIP spec so that the
>>> mechanism is specified in a stand-alone spec.
>>
>> Cheers,
>>
>> Gonzalo
>>
>> On 21/09/2012 2:49 AM, Julien Laganier wrote:
>>> On Fri, Jul 27, 2012 at 9:22 AM, Ari Keranen <ari.keranen@nomadiclab.com> wrote:
>>>> Hi Julien,
>>>>
>>>>
>>>> On 7/6/12 3:37 AM, Julien Laganier wrote:
>>>>>
>>>>> - 5203bis (registration) can IMHO be republished as is as I haven't
>>>>> seen any issue with the original version. If people agree I could
>>>>> republish it and we could WGLC it...
>>>>
>>>>
>>>> I posted some comments about 5203bis earlier this year but back then there
>>>> was no discussion regarding them. So, here goes again.
>>>>
>>>> Some of these have been discussed also earlier on this list (these relate to
>>>> requirements discovered with the native NAT traversal draft [1]), but I'll
>>>> have them all here for easier reference.
>>>>
>>>> Currently, the registrar has no way of indicating that it would otherwise
>>>> accept the registration, but it's currently running low on resources. For
>>>> this purpose, a failure type "Insufficient resources" could be added to the
>>>> "registration failure types".
>>>>
>>>> Registration using authentication with certificates could be part of the
>>>> registration RFC. Currently, only authentication with HI is defined, but
>>>> knowing all HIs beforehand is not practical in many cases.
>>>>
>>>> Text in section 3.2. of [1] could be used as a basis for this (just replace
>>>> "HIP' data relay" with "registrar"). Also, if this authentication mode is
>>>> added to the draft, failure type "Invalid certificate" should be added for
>>>> the failure case.
>>>>
>>>> Should we have these in the registration draft?
>>>>
>>>> [1] http://tools.ietf.org/html/draft-ietf-hip-native-nat-traversal
>>>
>>> I was going to shamelessly copy/paste section 3.2 of [1] in the
>>> registration draft but I noticed that [1] actually has a normative
>>> dependency on RFC 6253 "Host Identity Protocol Certificates" which is
>>> Experimental. Thus adding the support for certificates to a standard
>>> track HIP registration would cause a so-called downref which could be
>>> problematic...
>>>
>>> Gonzalo - what is your take on this?
>>>
>>> --julien
>>>
>>
> 
>

v2.23.0 | Report a Bug | By Email