Re: [Int-area] SeND & CGA Extensions BOF
"Jean-Michel Combes" <jeanmichel.combes@gmail.com> Wed, 06 June 2007 16:26 UTC
Return-path: <int-area-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HvyKh-0004EY-D2; Wed, 06 Jun 2007 12:26:03 -0400
Received: from int-area by megatron.ietf.org with local (Exim 4.43) id 1HvyKg-00049P-DI for int-area-confirm+ok@megatron.ietf.org; Wed, 06 Jun 2007 12:26:02 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HvyKg-00047V-2Z for int-area@ietf.org; Wed, 06 Jun 2007 12:26:02 -0400
Received: from an-out-0708.google.com ([209.85.132.241]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HvyKf-0006rL-NN for int-area@ietf.org; Wed, 06 Jun 2007 12:26:02 -0400
Received: by an-out-0708.google.com with SMTP id c17so43915anc for <int-area@ietf.org>; Wed, 06 Jun 2007 09:26:01 -0700 (PDT)
DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=oGbOXhCfQ+qMxUDG6L9hKuDBMWG5h8pX+KTsHvtNmYsf3Wytv4lEx7UUZGz9Go0E7nl66EzawpcMHuhQCWtZC+ntVDm8YQfqdo1h+h3raPsjM1fijfTQx8kWCIfetuQzK9ZAYpM4ENAXfIs5cJu9UlVsovk0uSwIZhvydyhXQYc=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=QoPGgIFnSz/mOsGbVwJkJrkqNNlknH3qungAT6ewy/pWyffmKSMJqJz9h39DrIV6i6A3BFnCkc5wxReOykVcrlckABamYyFfeYM3V7j8dzNNfArrQ7Olg4ncGa4ncI2UJQwZhJXNBWjqJ5k1XdQcCHOIiHPcuqSM1eOUGH17G7s=
Received: by 10.100.207.16 with SMTP id e16mr412882ang.1181147161153; Wed, 06 Jun 2007 09:26:01 -0700 (PDT)
Received: by 10.100.191.14 with HTTP; Wed, 6 Jun 2007 09:26:01 -0700 (PDT)
Message-ID: <729b68be0706060926o71c8d1acie5d785153edf7a29@mail.gmail.com>
Date: Wed, 06 Jun 2007 18:26:01 +0200
From: Jean-Michel Combes <jeanmichel.combes@gmail.com>
To: marcelo bagnulo braun <marcelo@it.uc3m.es>
Subject: Re: [Int-area] SeND & CGA Extensions BOF
In-Reply-To: <729b68be0706050454v55eda5d2mc1fedb252728bcf7@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <a50af956f4a4127e3f9c863b092c1f07@it.uc3m.es> <729b68be0706050454v55eda5d2mc1fedb252728bcf7@mail.gmail.com>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 6ffdee8af20de249c24731d8414917d3
Cc: INT Area <int-area@ietf.org>
X-BeenThere: int-area@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/int-area>
List-Post: <mailto:int-area@lists.ietf.org>
List-Help: <mailto:int-area-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@lists.ietf.org?subject=subscribe>
Errors-To: int-area-bounces@lists.ietf.org
Hi, in fact I think I have an issue with SEND but I really don't know whether this BOF would be the right place or not. Background: On one side, Prefix delegation (PD) protocols have been specified like the RFC 3633 based on DHCP, the draft "draft-ietf-nemo-prefix-delegation-01" for NEMO based on Mobility Header (MH) or the draft "draft-sarikaya-netlmm-prefix-delegation-00.txt" for PMIP based on DHCP/RADIUS/MH. On the other hand, if I remember correctly (I am not an certs expert), the CMS protocol allows to get certificates and can be transported over HTTP/TCP/MINE The issue, IMHO, is that it seems there is no easy/simple way to combine PD and certs generation in the case where you want to use SEND (the RtAdv security part). Am I wrong? If this is a real issue, where to do the work? In this BOF? In the PKIX WG? Comments are very welcome :) Best regards. JMC. 2007/6/5, Jean-Michel Combes <jeanmichel.combes@gmail.com>: > Hi, > > I support such a future work, specially the interaction between IKE and CGA. > > Best regards. > > JMC. > > 2007/6/1, marcelo bagnulo braun <marcelo@it.uc3m.es>: > > Hi, > > > > we have proposed a BOF on SeND and CGA extensions for the Chicago IETF. > > I attach the proposed charter below. There is a mailing list created > > for the discussion (https://www1.ietf.org/mailman/listinfo/cga-ext) > > > > If you have comments about the proposed work, it would be appreciated. > > > > Thanks, marcelo > > > > > > > > Proposed charter for SeND & CGA Extensions BOF > > > > Secure Neighbour Discovery (SeND) protocol as defined in RFC 3971 > > provides the security mechanisms to protecting the different > > functions performed by the Neighbour Discovery (ND) protocol, > > including the discovery of other nodes on the link and their > > link-layer addresses, router discovery and reachability detection > > for the paths to active neighbors. However, current SeND > > specification lacks of support for ND Proxies as defined in > > RFC 4389. The SeND protocol relies on the usage of > > Cryptographically GEnerated Addresses (CGAs) to provide some of > > these functions, in particular to provide IPv6 address ownership > > proof to the other nodes on the link and authenticate node related > > information of the ND protocol. CGAs are defined in RFC 3972 which > > has been recently updated by RFC 4581 to define the CGA extension > > format and by RFC-to-be draft-bagnulo-multiple-hash-cga-03.txt to > > support multiple hash functions. While CGAs were originally > > defined for the SeND protocol, they have proved to be a useful > > security tool in other environments too, and its usage has been > > proposed to secure other protocols such as the Shim6 multihoming > > protocol and the Mobile IPv6 protocol. As the CGAs become more > > widely used for different purposes, it is necessary to produce > > some extensions to support such new usages. > > > > The objective of this working group is to define extensions related > > to both to the SeND protocol and to the CGAs. The following are > > charter items for the working group: > > > > - Extensions to the SeND protocol to support Neighbour Discovery > > Proxies: SeND protocol as currently defined in RFC 3971 lacks of > > support for ND Proxies defined in RFC 4389. Extensions to the SeND > > protocol will be defined in order to provide equivalent SeND > > security capabilities to ND Proxies. > > > > - Extensions to the IKEv2 protocol to create IPSec SAs associated to > > the CGA key. Because of their cryptographic nature, CGAs are > > inherently bound to the key pair that was used for their generation. > > This is used in existent protocols for proving address ownership. > > However, it would be possible also to use this cryptographic material > > to create a security association between peers. The key benefit of > > such approach is that it allows the creation of a security association > > that is cryptographically bound to the IP address of the end points > > without dependence on a common trust anchor point, eg. PKI. Such > > approach would provide additional protection compared to the > > opportunistic approaches. The proposed work will produce an analysis > > of this type of solution and the required extensions to CGAs and to > > the IKEv2 protocol in order to be able to create IPSec SA using the > > CGAs keys. > > > > - DHCP support for CGAs. An analysis of possible approaches to allow > > the usage of the DHCP protocol to assign CGAs will be produced. The > > output of the analysis will be an informational document describing > > the recommended approaches that will be provided as an input to the > > DHC working group where the actual DHCP extensions needed for the > > recommended approaches will be defined. > > > > - Define a CGA extension to support other public key algorithms: As > > currently defined, CGAs can only use RSA keys in the CGA Parameter > > Data Structure. An extension to update the CGA specification in > > order to multiple public key cryptographic algorithm support will be > > defined. > > > > > > Related drafts: > > > > draft-kempf-mobopts-ringsig-ndproxy-01.txt > > draft-laganier-ike-ipv6-cga-01.txt > > > > > > > > _______________________________________________ > > Int-area mailing list > > Int-area@lists.ietf.org > > https://www1.ietf.org/mailman/listinfo/int-area > > > _______________________________________________ Int-area mailing list Int-area@lists.ietf.org https://www1.ietf.org/mailman/listinfo/int-area
- [Int-area] SeND & CGA Extensions BOF marcelo bagnulo braun
- Re: [Int-area] SeND & CGA Extensions BOF Markus Stenberg
- Re: [Int-area] SeND & CGA Extensions BOF marcelo bagnulo braun
- Re: [Int-area] SeND & CGA Extensions BOF Stig Venaas
- Re: [Int-area] SeND & CGA Extensions BOF Markus Stenberg
- Re: [Int-area] SeND & CGA Extensions BOF Fred Baker
- Re: [Int-area] SeND & CGA Extensions BOF marcelo bagnulo braun
- Re: [Int-area] SeND & CGA Extensions BOF marcelo bagnulo braun
- Re: [Int-area] SeND & CGA Extensions BOF Suresh Krishnan
- [Int-area] Re: SeND & CGA Extensions BOF Bernard Aboba
- Re: [Int-area] Re: SeND & CGA Extensions BOF Suresh Krishnan
- Re: [Int-area] Re: SeND & CGA Extensions BOF Jari Arkko
- Re: [Int-area] SeND & CGA Extensions BOF marcelo bagnulo braun
- Re: [Int-area] SeND & CGA Extensions BOF Jean-Michel Combes
- Re: [Int-area] SeND & CGA Extensions BOF Fred Baker
- Re: [Int-area] SeND & CGA Extensions BOF Jean-Michel Combes
- RE: [Int-area] Re: SeND & CGA Extensions BOF Dave Thaler
- Re: [Int-area] Re: SeND & CGA Extensions BOF Jari Arkko
- Re: [Int-area] SeND & CGA Extensions BOF Jari Arkko
- Re: [Int-area] SeND & CGA Extensions BOF Jari Arkko
- Re: [Int-area] SeND & CGA Extensions BOF Brian Haberman
- Re: [Int-area] SeND & CGA Extensions BOF Fred Baker
- Re: [Int-area] SeND & CGA Extensions BOF Behcet Sarikaya
- Re: [Int-area] SeND & CGA Extensions BOF Jari Arkko
- Re: [Int-area] SeND & CGA Extensions BOF marcelo bagnulo braun
- DHCPv6 and CGA (was: Re: [Int-area] SeND & CGA Ex… James Kempf
- Re: [Int-area] Re: SeND & CGA Extensions BOF James Kempf
- RE: DHCPv6 and CGA (was: Re: [Int-area] SeND & CG… Templin, Fred L
- RE: DHCPv6 and CGA (was: Re: [Int-area] SeND & CG… Templin, Fred L
- Re: DHCPv6 and CGA (was: Re: [Int-area] SeND & CG… James Kempf
- Re: DHCPv6 and CGA (was: Re: [Int-area] SeND & CG… James Kempf
- Re: DHCPv6 and CGA (was: Re: [Int-area] SeND & CG… Thomas Narten
- Re: DHCPv6 and CGA (was: Re: [Int-area] SeND & CG… James Kempf
- Re: DHCPv6 and CGA (was: Re: [Int-area] SeND & CG… Ralph Droms
- RE: DHCPv6 and CGA (was: Re: [Int-area] SeND & CG… Alberto García
- Re: DHCPv6 and CGA (was: Re: [Int-area] SeND & CG… James Kempf