IETF Logo Mail Archive

Re: [Int-area] SeND & CGA Extensions BOF

"Jean-Michel Combes" <jeanmichel.combes@gmail.com> Tue, 05 June 2007 11:54 UTC

Return-path: <int-area-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HvXc9-0007zO-VP; Tue, 05 Jun 2007 07:54:17 -0400
Received: from int-area by megatron.ietf.org with local (Exim 4.43) id 1HvXc9-0007zJ-5R for int-area-confirm+ok@megatron.ietf.org; Tue, 05 Jun 2007 07:54:17 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HvXc8-0007zB-S9 for int-area@ietf.org; Tue, 05 Jun 2007 07:54:16 -0400
Received: from an-out-0708.google.com ([209.85.132.246]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HvXc7-0005WX-Hg for int-area@ietf.org; Tue, 05 Jun 2007 07:54:16 -0400
Received: by an-out-0708.google.com with SMTP id c17so411602anc for <int-area@ietf.org>; Tue, 05 Jun 2007 04:54:15 -0700 (PDT)
DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=XYIvHnkx/iIbN13V+dZPiBW37LetuJy4eZdd0xUXUEB0sL9N1ooueGDOCsW1slettlZZnIjT98ezfSxszeL+zBro2alURurgXBb6ErahSxHEccs+arH3eJv/vYjZ8bZQzfGiMHH9qUu5YOhpGn+f/SF/2qzQhSpK0x+ZsUpBqqY=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=lr/eILEgcAWLDsOItKxw2YFqT6K4GuUOljurd8zrYf+puD9YUUgO7luqjbz1TEvkcGpmnrIhdM9SJxkYjynUFhrAxhNduRlOfSp8teX7PSOmjXWrbwSYXNNAMVp4uZAts7ga4oENtXlPrlxQ6nuTdkvMxFa1dx2rUpy7kE/7uGo=
Received: by 10.100.200.12 with SMTP id x12mr3146409anf.1181044446117; Tue, 05 Jun 2007 04:54:06 -0700 (PDT)
Received: by 10.100.191.14 with HTTP; Tue, 5 Jun 2007 04:54:06 -0700 (PDT)
Message-ID: <729b68be0706050454v55eda5d2mc1fedb252728bcf7@mail.gmail.com>
Date: Tue, 05 Jun 2007 13:54:06 +0200
From: Jean-Michel Combes <jeanmichel.combes@gmail.com>
To: marcelo bagnulo braun <marcelo@it.uc3m.es>
Subject: Re: [Int-area] SeND & CGA Extensions BOF
In-Reply-To: <a50af956f4a4127e3f9c863b092c1f07@it.uc3m.es>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <a50af956f4a4127e3f9c863b092c1f07@it.uc3m.es>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 14582b0692e7f70ce7111d04db3781c8
Cc: INT Area <int-area@ietf.org>
X-BeenThere: int-area@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/int-area>
List-Post: <mailto:int-area@lists.ietf.org>
List-Help: <mailto:int-area-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@lists.ietf.org?subject=subscribe>
Errors-To: int-area-bounces@lists.ietf.org

Hi,

I support such a future work, specially the interaction between IKE and CGA.

Best regards.

JMC.

2007/6/1, marcelo bagnulo braun <marcelo@it.uc3m.es>:
> Hi,
>
> we have proposed a BOF on SeND and CGA extensions for the Chicago IETF.
> I attach the proposed charter below. There is a mailing list created
> for the discussion (https://www1.ietf.org/mailman/listinfo/cga-ext)
>
> If you have comments about the proposed work, it would be appreciated.
>
> Thanks, marcelo
>
>
>
> Proposed charter for SeND & CGA Extensions BOF
>
> Secure Neighbour Discovery (SeND) protocol as defined in RFC 3971
> provides the security mechanisms to protecting the different
> functions performed by the Neighbour Discovery (ND) protocol,
> including the discovery of other nodes on the link and their
> link-layer addresses, router discovery and reachability detection
> for the paths to active neighbors. However, current SeND
> specification lacks of support for ND Proxies as defined in
> RFC 4389. The SeND protocol relies on the usage of
> Cryptographically GEnerated Addresses (CGAs) to provide some of
> these functions, in particular to provide IPv6 address ownership
> proof to the other nodes on the link and authenticate node related
> information of the ND protocol. CGAs are defined in RFC 3972 which
> has been recently updated by RFC 4581 to define the CGA extension
> format and by RFC-to-be draft-bagnulo-multiple-hash-cga-03.txt to
> support multiple hash functions. While CGAs were originally
> defined for the SeND protocol, they have proved to be a useful
> security tool in other environments too, and its usage has been
> proposed to secure other protocols such as the Shim6 multihoming
> protocol and the Mobile IPv6 protocol. As the CGAs become more
> widely used for different purposes, it is necessary to produce
> some extensions to support such new usages.
>
> The objective of this working group is to define extensions related
> to both to the SeND protocol and to the CGAs. The following are
> charter items for the working group:
>
> - Extensions to the SeND protocol to support Neighbour Discovery
> Proxies:  SeND protocol as currently defined in RFC 3971 lacks of
> support for ND Proxies defined in RFC 4389. Extensions to the SeND
> protocol will be defined in order to provide equivalent SeND
> security capabilities to ND Proxies.
>
> - Extensions to the IKEv2 protocol to create IPSec SAs associated to
> the CGA key. Because of their cryptographic nature, CGAs are
> inherently bound to the key pair that was used for their generation.
> This is used in existent protocols for proving address ownership.
> However, it would be possible also to use this cryptographic material
> to create a security association between peers. The key benefit of
> such approach is that it allows the creation of a security association
> that is cryptographically bound to the IP address of the end points
> without dependence on a common trust anchor point, eg. PKI. Such
> approach would provide additional protection compared to the
> opportunistic approaches. The proposed work will produce an analysis
> of this type of solution and the required extensions to CGAs and to
> the IKEv2 protocol in order to be able to create IPSec SA using the
> CGAs keys.
>
> - DHCP support for CGAs. An analysis of possible approaches to allow
> the usage of the DHCP protocol to assign CGAs will be produced. The
> output of the analysis will be an informational document describing
> the recommended approaches that will be provided as an input to the
> DHC working group where the actual DHCP extensions needed for the
> recommended approaches will be defined.
>
> - Define a CGA extension to support other public key algorithms: As
> currently defined, CGAs can only use RSA keys in the CGA Parameter
> Data Structure. An extension to update the CGA specification in
> order to multiple public key cryptographic algorithm support will be
> defined.
>
>
> Related drafts:
>
> draft-kempf-mobopts-ringsig-ndproxy-01.txt
> draft-laganier-ike-ipv6-cga-01.txt
>
>
>
> _______________________________________________
> Int-area mailing list
> Int-area@lists.ietf.org
> https://www1.ietf.org/mailman/listinfo/int-area
>


_______________________________________________
Int-area mailing list
Int-area@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/int-area

v2.23.0 | Report a Bug | By Email