Re: [savi] About draft-dong-savi-cga-header-02.txt
Alberto García <alberto@it.uc3m.es> Mon, 20 July 2009 10:57 UTC
Return-Path: <alberto@it.uc3m.es>
X-Original-To: savi@core3.amsl.com
Delivered-To: savi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B012A3A699C for <savi@core3.amsl.com>; Mon, 20 Jul 2009 03:57:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.299
X-Spam-Level:
X-Spam-Status: No, score=-6.299 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0DZHHmuAFTQq for <savi@core3.amsl.com>; Mon, 20 Jul 2009 03:57:57 -0700 (PDT)
Received: from smtp02.uc3m.es (smtp02.uc3m.es [163.117.176.132]) by core3.amsl.com (Postfix) with ESMTP id 4BDBC3A67AC for <savi@ietf.org>; Mon, 20 Jul 2009 03:57:56 -0700 (PDT)
Received: from bombo (bombo.it.uc3m.es [163.117.139.125]) by smtp02.uc3m.es (Postfix) with ESMTP id 3C5F66C2451; Mon, 20 Jul 2009 12:28:50 +0200 (CEST)
From: Alberto García <alberto@it.uc3m.es>
To: 'Dong Zhang' <zhangdong_rh@huaweisymantec.com>, 'Christian Vogt' <christian.vogt@ericsson.com>, 'SAVI Mailing List' <savi@ietf.org>
References: <4CB1C400-9A7F-435D-9B7A-B6B1B259E997@ericsson.com><200907151050081554172@huaweisymantec.com><75998D9056424F94A34294F878EF8958@bombo><200907161018350396693@huaweisymantec.com><16C7F3CCDE434470AF2D409B79B70A8E@bombo><200907171450265993512@huaweisymantec.com><4EB312B4DC044B6DB99E8E16EFEA72D7@bombo> <200907201040329011805@huaweisymantec.com>
Date: Mon, 20 Jul 2009 12:28:47 +0200
Message-ID: <86BC9051818A451D9387B294D512D11B@bombo>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Office Outlook 11
In-Reply-To: <200907201040329011805@huaweisymantec.com>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
Thread-Index: AcoI44hA98flWtdsRCC5hU95ZpxRdAAQCr0g
X-TM-AS-Product-Ver: IMSS-7.0.0.3116-5.6.0.1016-16774.006
Cc: 'Padmanabha Nallur 73868' <pnallur@huawei.com>
Subject: Re: [savi] About draft-dong-savi-cga-header-02.txt
X-BeenThere: savi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Mailing list for the SAVI WG <savi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/savi>, <mailto:savi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/savi>
List-Post: <mailto:savi@ietf.org>
List-Help: <mailto:savi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/savi>, <mailto:savi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jul 2009 10:57:58 -0000
Hi | -----Mensaje original----- | De: savi-bounces@ietf.org [mailto:savi-bounces@ietf.org] En nombre de Dong | Zhang | Enviado el: lunes, 20 de julio de 2009 4:41 | Para: Alberto_García; 'Christian Vogt'; 'SAVI Mailing List' | CC: 'Padmanabha Nallur 73868' | Asunto: Re: [savi] About draft-dong-savi-cga-header-02.txt | | Hi Alberto, | Please check inline. | | Thank you. | | Alberto_García 2009-07-17 Wrote: | >Hi | > | >| -----Mensaje original----- | >| De: savi-bounces@ietf.org [mailto:savi-bounces@ietf.org] En nombre de | Dong | >| Zhang | >| Enviado el: viernes, 17 de julio de 2009 8:50 | >| Para: Alberto_Garc?; 'Christian Vogt'; 'SAVI Mailing List' | >| CC: 'Padmanabha Nallur 73868' | >| Asunto: Re: [savi] About draft-dong-savi-cga-header-02.txt | >| | >| Alberto_Garc韆 2009-07-16 Wrote: | >| >| I do not think it is a conflict. The difference is just how to | >| >| use CGA. For instance, the CGA proposal can be used in e2e, even | between | >| >the | >| >| host | >| >| and the first-hop router. It can depend on the destination option header. | >| > | >| >Shim6 allows transporting CGA information end-to-end. It does that now, in | a | >| >standard way. Why you should want to generate a yet-another-protocol to | >| >transport CGA information end-to-end? | >| Thank you for the information. | >| We will read Shim6. If it really does the relative job, we will be glad to use it. | >| > | >| >Besides, what does such a protocol would have to do with SAVI? | >| >If you want to use CGAs for providing security in the link of the host and | >| >the first-hop router, you should probably use the SEND protocol (see | >| >draft-ietf-savi-send-00). Do you think there is something in the SEND | >| >protocol that does not suit with binding IPv6 addresses and link layer | >| >anchors, that could be improved? | >| >And if you want to use the CGA for address validation further than the first | >| >hop routers, I see some reasons why you should not: at that point you | need | >| >to validate prefixes, not host addresses, and CGA provides no protection for | >| >prefixes: any host can generate a valid CGA with whichever prefix it wanted. | >| >So just validating a CGA does not assure that the host is authorized to use | >| >that prefix. | >| In the CGA-related information, it contains the signature. We think it can | >| protect the prefix. Right? | > | >Well, it does not prove that a host has been legitimately assigned a prefix. | >CGAs, with a protocol transporting signatures made with the private key, only | assure that once a host generates a given address, it is very very difficult for | another host to use the same address. And yes, the protection includes the | prefix: it is just not enough to find a key pair whose hash generates a given | interface identifier, and then you can impersonate any host with the same | interface identifier in any network (i.e. with any prefix). | [Dong] Well, yes, we agree with this. CGA does not do identity authentication. | We only validate the address so that someone else cannot use this IP address. | We do not check for the IP address binding with a host or a user or some other | higher level entity and validate that. | | Just the fact that someone else cannot use the same address would give the | benefits mentioned in the use cases within the draft. I think the place to do this is in the first link. And the tool SEND + SAVI. Outside the first link, I think it is too costly to do checks in a per-address basis, and you need other tools (manual configuration, routing info...) for validating prefixes... so just validate prefixes with this tools. | | IMHO, we don't think even SAVI solutions need to validate the binding of IP | address with users etc., only check if a certain IP address is used on a specific | link. Yes, of course. I was not talking at any point in "users". Again, to check the address, use SEND. | > | >But that says nothing about the legitimacy of ah host to use that prefix. | >For example, give the prefix of your network, and I can generate immediately | an CGA that claims to belong to your prefix: CGA = hash ( prefix | public key | | etc). And I can use from my network, if the router (and some routers above) | does not check source prefixes. Looking only at the CGA nobody can know if my | host is authorized to use a prefix or not. | >So, CGA does not add anything to prefix protection. You have to provide other | means to protect that. | I guess the ingress filtering could do this. And savi solutions are the complement | for ingress filtering. This point has been discussed before. | > | > | >| > | >| >| > | >| >| >What does this type of solutions has to do with SAVI, considering that | >| >the | >| >| >charter says: "No changes to hosts are allowed."? Isn't your solution | >| >| >proposing a change to hosts? | >| >| Yes, the CGA proposal does not fit for the current charter quit well to | >| >some | >| >| extend. | >| >| The reason why we put the CGA-related info in the extension header is | >| >that it | >| >| has | >| >| the ability to provide a basic security for the source address like AH & | >| >ESP. The | >| > | >| >The CGA security model does not have much relationship with AH & ESP. | Well, | >| >all use keys, but besides that... | >| I mean if we could take the CGA-related information in the extension header, | >| the packet will have AH, ESP and CGA for the basic security characteristics, | >| including integrity, confidentiality, and authentication. | > | >This is completely different stuff. It seems like generating an opportunistic IKE | security context (a la SSL) for a communication, starting with the public/private | key pair associated to the CGAs of two hosts. Then you should look at | http://tools.ietf.org/id/draft-laganier-ike-ipv6-cga-02.txt | I am a little confused here. I have already known this draft before. Are you | comparing it with my another draft, http://tools.ietf.org/id/draft-zhang-shen-sa- | cga-00.txt ? I was not aware of your draft. I wasn't comparing anything, but, from the title of your draft, yes it seems similar. Regards, Alberto | | | ------------------ | Dong Zhang | 2009-07-20
- [savi] SAVI agenda at IETF 75 - Please request sl… Christian Vogt
- Re: [savi] SAVI agenda at IETF 75 - Please reques… Frank Xia
- Re: [savi] SAVI agenda at IETF 75 - Please reques… Dong Zhang
- [savi] About draft-dong-savi-cga-header-02.txt Alberto García
- Re: [savi] About draft-dong-savi-cga-header-02.txt Dong Zhang
- Re: [savi] About draft-dong-savi-cga-header-02.txt Alberto García
- Re: [savi] About draft-dong-savi-cga-header-02.txt Dong Zhang
- Re: [savi] About draft-dong-savi-cga-header-02.txt Alberto García
- Re: [savi] About draft-dong-savi-cga-header-02.txt Dong Zhang
- Re: [savi] About draft-dong-savi-cga-header-02.txt Alberto García
- Re: [savi] About draft-dong-savi-cga-header-02.txt Alberto García
- Re: [savi] About draft-dong-savi-cga-header-02.txt Dong Zhang
- Re: [savi] About draft-dong-savi-cga-header-02.txt Alberto García
- Re: [savi] About draft-dong-savi-cga-header-02.txt Alberto García
- Re: [savi] About draft-dong-savi-cga-header-02.txt Padmanabha Nallur
- Re: [savi] About draft-dong-savi-cga-header-02.txt Padmanabha Nallur