IETF Logo Mail Archive

RE: AERO/OMNI dropping support for SEND/CGA

Vasilenko Eduard <vasilenko.eduard@huawei.com> Tue, 01 December 2020 09:07 UTC

Return-Path: <vasilenko.eduard@huawei.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60D533A0820 for <ipv6@ietfa.amsl.com>; Tue, 1 Dec 2020 01:07:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id di1NK0Wllvus for <ipv6@ietfa.amsl.com>; Tue, 1 Dec 2020 01:07:04 -0800 (PST)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C563E3A0DBA for <ipv6@ietf.org>; Tue, 1 Dec 2020 01:07:04 -0800 (PST)
Received: from fraeml734-chm.china.huawei.com (unknown [172.18.147.206]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4ClbkW3bjdz67KPw for <ipv6@ietf.org>; Tue, 1 Dec 2020 17:04:03 +0800 (CST)
Received: from msceml702-chm.china.huawei.com (10.219.141.160) by fraeml734-chm.china.huawei.com (10.206.15.215) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Tue, 1 Dec 2020 10:06:57 +0100
Received: from msceml703-chm.china.huawei.com (10.219.141.161) by msceml702-chm.china.huawei.com (10.219.141.160) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Tue, 1 Dec 2020 12:06:57 +0300
Received: from msceml703-chm.china.huawei.com ([10.219.141.161]) by msceml703-chm.china.huawei.com ([10.219.141.161]) with mapi id 15.01.2106.002; Tue, 1 Dec 2020 12:06:57 +0300
From: Vasilenko Eduard <vasilenko.eduard@huawei.com>
To: "Templin (US), Fred L" <Fred.L.Templin@boeing.com>, "ipv6@ietf.org" <ipv6@ietf.org>
Subject: RE: AERO/OMNI dropping support for SEND/CGA
Thread-Topic: AERO/OMNI dropping support for SEND/CGA
Thread-Index: AdbHZPpW7fZRe+sEQcisGsnlYu6uigAWT2pQ
Date: Tue, 01 Dec 2020 09:06:57 +0000
Message-ID: <efdbcaedd3264c00bd435abdb0ea5c3a@huawei.com>
References: <e9d391655a124688a121db7a6664d7bb@boeing.com>
In-Reply-To: <e9d391655a124688a121db7a6664d7bb@boeing.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.47.204.70]
Content-Type: text/plain; charset="koi8-r"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/V_MXgKT0PWI8MKk3EHifLF2g0r0>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Dec 2020 09:07:10 -0000

Hi Fred,
SeND needs a refresh. CGA looks ridicules now in principle. You should not use it.

I am not sure: does it make sense to develop something else instead (based on ecliptic curves).
As Fernando pointed many times: many things in ND could be resolved only by digital signature (he calls it "untrusted model").
But as we see: market has rejected PKI. Digital signature is not useful without proper key management.
IMHO: it is better to keep digital signature as a separate standard.
Therefore, if you have cycles for separate OMNI addendum, then it is better to have it for completeness. If not - not much to lose now.
But make sure that Open Key Cryptography and PKI (!) would be possible to add later.
What if something would be innovated in PKI and it became popular?
Reminder: PKI is needed not just for ND. Enterprises have the big pressure to protect all applications by TLS.
Your vertical would probable lead on PKI adoption.

As an alternative: you could talk with IT and Security people in your vertical: if they believe in massive deployment of PKIs then you have to have Digital Signature for ND.
It would still not guaranty that it would be used, because hosts would need support for it at ND level, but it is already the good situation to try.
Hence again, better to keep it in separate specification.

Eduard
> -----Original Message-----
> From: ipv6 [mailto:ipv6-bounces@ietf.org] On Behalf Of Templin (US), Fred L
> Sent: 1 декабря 2020 г. 1:12
> To: ipv6@ietf.org
> Subject: AERO/OMNI dropping support for SEND/CGA
> 
> Folks, this is a big decision point for the AERO/OMNI drafts but I am preparing to
> drop support for SEND/CGA (RFC3971; RFC3972). This means that IPv6 ND
> message authentication on OMNI interfaces will use a simple HMAC the same as
> is done for Teredo (RFC4380; RFC6081). If anyone knows why that might cause
> problems, it would be best to speak up now.
> 
> Fred
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email