[Mipshop] Re: Comments on draft-ietf-mipshop-handover-key-01.txt
Vijay Devarapalli <vijay.devarapalli@azairenet.com> Tue, 18 September 2007 21:42 UTC
Return-path: <mipshop-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IXkpW-0002pD-As; Tue, 18 Sep 2007 17:42:02 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IXkpV-0002p8-T7 for mipshop@ietf.org; Tue, 18 Sep 2007 17:42:01 -0400
Received: from mail2.azairenet.com ([207.47.15.6]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IXkpQ-0004fy-H5 for mipshop@ietf.org; Tue, 18 Sep 2007 17:42:01 -0400
Received: from [127.0.0.1] ([207.47.15.6]) by mail2.azairenet.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.1830); Tue, 18 Sep 2007 14:41:50 -0700
Message-ID: <46F0461C.8080804@azairenet.com>
Date: Tue, 18 Sep 2007 14:41:48 -0700
From: Vijay Devarapalli <vijay.devarapalli@azairenet.com>
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: James Kempf <kempf@docomolabs-usa.com>
References: <46F01B32.1010708@azairenet.com> <051901c7fa31$e965c190$576115ac@dcml.docomolabsusa.com>
In-Reply-To: <051901c7fa31$e965c190$576115ac@dcml.docomolabsusa.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 18 Sep 2007 21:41:50.0535 (UTC) FILETIME=[B898C570:01C7FA3C]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 92df29fa99cf13e554b84c8374345c17
Cc: mipshop@ietf.org, "Koodli Rajeev (NSN - US/Palo Alto)" <rajeev.koodli@nsn.com>
Subject: [Mipshop] Re: Comments on draft-ietf-mipshop-handover-key-01.txt
X-BeenThere: mipshop@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: mipshop.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/mipshop>, <mailto:mipshop-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:mipshop@ietf.org>
List-Help: <mailto:mipshop-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/mipshop>, <mailto:mipshop-request@ietf.org?subject=subscribe>
Errors-To: mipshop-bounces@ietf.org
James Kempf wrote: > In section 4.1, you should have a field that tells what the length of > the key is rather than what how much padding has been added. Since the > "Length" field is a multiple of 8 octets, you know how much padding has > been added based on the length of other fields. If the key length is > fixed, then again you know much padding has been added. So in both > cases, you don't need the "Pad Length" field. > > jak>> This is how it was done with SEND. The advantage of this is > that the field can be only 8 bits instead of 16 and thereby allow an > arbitrary sized key. I don't follow. I don't know why it was done that way in RFC 3971, but to me it appears like a cleaner option to have a length field that tells what the length of the key and the rest would be padding. Anyway, both with work. > jak>> Per the discussion with Julian, the Key Hash is unnecessary if the > SEND nonce is included, which it must be for anti-replay protection. So > I've dropped the Key Hash. Ok. > I am confused by the following text > >> If the AR does not respond to the PrRtSol, as would be the case if >> the proxy router functionality is not deployed, the MN MAY include >> the Handover Key Request option in a standard IPv6 SEND-protected >> Router Solicitation (RS) instead [RFC2461]. > > If the AR does not respond to PrRtSol, is it compliant to 4068bis? I saw > the exchange with Julien. I agree that exchanging the neighborhood > information is optional, but responding to a Proxy Router Solicitation > for a mobile node is not option. The access router must respond with > whatever information it has, right? > > jak>> Right, I believe that PrRtSol/PrRtAdv is optional to deploy. If it > not deployed, there will be no PrRtAdv response if the MN deploys it and > sends the PrRtSol but the AR does not. If neither do, then the MN would > just use the RS/RA from the start. > > jak>> Dunno about this. The FMIP spec says nothing about how this > optionality should be handled. There is no recommendation of a > configuration variable or anything on the MN to indicate whether it is > deployed, nor any indication from the router if it deploys the PrRt > methods which would let the MN decide which to send. So there is not > much we can do in this spec with respect to providing guidance about how > to do the key exchange if the PrRtSol/PrRtAdv is not deployed, except to > say that if the MN doesn't get a response, it should try something > different. > > jak>> Any suggestions about how to fix this? I will follow up on the other thread. > In section 3.7 > >> HKEPK-HANDOVERS: The maximum number of handovers for which the >> handover key encryption public key should be >> reused. Default is 10. > > Just curious, why 10? > > jak>> I did not do an extensive analysis on probability of cracking the > RSA key to come up with the number. Is there another number you think > would be more appropriate? No. I just wanted to figure out if there was a reason behind "10". Vijay _______________________________________________ Mipshop mailing list Mipshop@ietf.org https://www1.ietf.org/mailman/listinfo/mipshop
- [Mipshop] Comments on draft-ietf-mipshop-handover… Vijay Devarapalli
- [Mipshop] Re: Comments on draft-ietf-mipshop-hand… James Kempf
- [Mipshop] Re: Comments on draft-ietf-mipshop-hand… Rajeev Koodli
- [Mipshop] Re: Comments on draft-ietf-mipshop-hand… James Kempf
- [Mipshop] Re: Comments on draft-ietf-mipshop-hand… Vijay Devarapalli
- [Mipshop] Re: Comments on draft-ietf-mipshop-hand… Vijay Devarapalli
- [Mipshop] Re: Comments on draft-ietf-mipshop-hand… Rajeev Koodli
- [Mipshop] Re: Comments on draft-ietf-mipshop-hand… James Kempf