IETF Logo Mail Archive

Re: [Hipsec] Fwd: Status of WG items

Miika Komu <mkomu@cs.hut.fi> Thu, 18 October 2012 13:16 UTC

Return-Path: <mkomu@cs.hut.fi>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E20AA21F8771 for <hipsec@ietfa.amsl.com>; Thu, 18 Oct 2012 06:16:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.479
X-Spam-Level:
X-Spam-Status: No, score=-6.479 tagged_above=-999 required=5 tests=[AWL=0.120, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dTZ+kFWSzkbR for <hipsec@ietfa.amsl.com>; Thu, 18 Oct 2012 06:16:04 -0700 (PDT)
Received: from mail.cs.hut.fi (mail.cs.hut.fi [130.233.192.7]) by ietfa.amsl.com (Postfix) with ESMTP id 6C59721F877E for <hipsec@ietf.org>; Thu, 18 Oct 2012 06:16:00 -0700 (PDT)
Received: from [127.0.0.1] (hutcs.cs.hut.fi [130.233.192.10]) by mail.cs.hut.fi (Postfix) with ESMTP id 4270930817B for <hipsec@ietf.org>; Thu, 18 Oct 2012 16:15:56 +0300 (EEST)
Message-ID: <5080010B.7030605@cs.hut.fi>
Date: Thu, 18 Oct 2012 16:15:55 +0300
From: Miika Komu <mkomu@cs.hut.fi>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20121011 Thunderbird/16.0.1
MIME-Version: 1.0
To: hipsec@ietf.org
References: <4FE96F9F.3090800@ericsson.com> <758141CC3D829043A8C3164DD3D593EA1BD324E110@XCH-NW-16V.nw.nos.boeing.com> <4FEA1876.900@cs.rwth-aachen.de> <CAE_dhjveQ6WVVE3BVKk2txfBxNhfWvjbz+QVU2P919dNZ1WO4A@mail.gmail.com> <5012C05B.6080203@nomadiclab.com> <CAE_dhjufW+ic-VaBtqs787jK=xxy_XxnegpgGEtmpjZHsmJ4nA@mail.gmail.com> <505C213F.6050701@ericsson.com> <CAE_dhjv8LRwurQ9QmCmh6Spa+1UuECk1farGAKf_o9gYVsy_Lg@mail.gmail.com> <CAE_dhjsUXVwY8vXNLCwUjXPV9SxHTDbhk4dCt+ffQuQN=a6CMw@mail.gmail.com> <50615C93.6090300@ericsson.com>
In-Reply-To: <50615C93.6090300@ericsson.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [Hipsec] Fwd: Status of WG items
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Oct 2012 13:16:05 -0000

Hi Julien,

your suggestion sounds fine.

On 09/25/2012 10:26 AM, Gonzalo Camarillo wrote:
> Hi,
>
> if we have the appropriate hooks in the main specs, we could do as you
> suggest. I would be interested in hearing more opinions, though.
>
> Cheers,
>
> Gonzalo
>
> On 24/09/2012 5:48 PM, Julien Laganier wrote:
>> Hi Gonzalo, all,
>>
>> So if we include in the registration a dependency towards the standard
>> tracks HIP certificates draft (that doesn't exist yet) we would be
>> tying the two together such that the registration can't be published
>> before the HIP certificate RFC is.
>>
>> An alternative would be to move ahead with the current registration
>> draft without specific dependency on HIP certificates but leaving the
>> door open for these to be used once they are defined in standard
>> track; the current draft and RFC already have hooks for authentication
>> means beyond HIT authentication:
>>
>>
>>                     In particular,
>>     REG_FAILED with a failure type of zero indicates the service(s)
>>     type(s) that require further credentials for registration.
>>
>>     If the registrar requires further authorization and the requester has
>>     additional credentials available, the requester SHOULD try to
>>     register again with the service after the HIP association has been
>>     established.  The precise means of establishing and verifying
>>     credentials are beyond the scope of this document and are expected to
>>     be defined in other documents.
>>
>> Would that be an appropriate way forward?
>>
>> --julien
>>
>> On Fri, Sep 21, 2012 at 1:11 AM, Gonzalo Camarillo
>> <Gonzalo.Camarillo@ericsson.com> wrote:
>>> Hi Julien,
>>>
>>> my take on this is that we need to produce a standards-track document
>>> specifying exactly that. This is what our charter says about it:
>>>
>>> https://datatracker.ietf.org/wg/hip/charter/
>>>
>>>> o Specify in a standards track RFC how to carry certificates in the
>>>> base exchange. This was removed from the base HIP spec so that the
>>>> mechanism is specified in a stand-alone spec.
>>>
>>> Cheers,
>>>
>>> Gonzalo
>>>
>>> On 21/09/2012 2:49 AM, Julien Laganier wrote:
>>>> On Fri, Jul 27, 2012 at 9:22 AM, Ari Keranen <ari.keranen@nomadiclab.com> wrote:
>>>>> Hi Julien,
>>>>>
>>>>>
>>>>> On 7/6/12 3:37 AM, Julien Laganier wrote:
>>>>>>
>>>>>> - 5203bis (registration) can IMHO be republished as is as I haven't
>>>>>> seen any issue with the original version. If people agree I could
>>>>>> republish it and we could WGLC it...
>>>>>
>>>>>
>>>>> I posted some comments about 5203bis earlier this year but back then there
>>>>> was no discussion regarding them. So, here goes again.
>>>>>
>>>>> Some of these have been discussed also earlier on this list (these relate to
>>>>> requirements discovered with the native NAT traversal draft [1]), but I'll
>>>>> have them all here for easier reference.
>>>>>
>>>>> Currently, the registrar has no way of indicating that it would otherwise
>>>>> accept the registration, but it's currently running low on resources. For
>>>>> this purpose, a failure type "Insufficient resources" could be added to the
>>>>> "registration failure types".
>>>>>
>>>>> Registration using authentication with certificates could be part of the
>>>>> registration RFC. Currently, only authentication with HI is defined, but
>>>>> knowing all HIs beforehand is not practical in many cases.
>>>>>
>>>>> Text in section 3.2. of [1] could be used as a basis for this (just replace
>>>>> "HIP' data relay" with "registrar"). Also, if this authentication mode is
>>>>> added to the draft, failure type "Invalid certificate" should be added for
>>>>> the failure case.
>>>>>
>>>>> Should we have these in the registration draft?
>>>>>
>>>>> [1] http://tools.ietf.org/html/draft-ietf-hip-native-nat-traversal
>>>>
>>>> I was going to shamelessly copy/paste section 3.2 of [1] in the
>>>> registration draft but I noticed that [1] actually has a normative
>>>> dependency on RFC 6253 "Host Identity Protocol Certificates" which is
>>>> Experimental. Thus adding the support for certificates to a standard
>>>> track HIP registration would cause a so-called downref which could be
>>>> problematic...
>>>>
>>>> Gonzalo - what is your take on this?
>>>>
>>>> --julien
>>>>
>>>
>>
>>
>
> _______________________________________________
> Hipsec mailing list
> Hipsec@ietf.org
> https://www.ietf.org/mailman/listinfo/hipsec
>

v2.23.0 | Report a Bug | By Email