Re: [savi] AD review of draft-ietf-savi-fcfs
Jean-Michel Combes <jeanmichel.combes@gmail.com> Tue, 18 October 2011 18:11 UTC
Return-Path: <jeanmichel.combes@gmail.com>
X-Original-To: savi@ietfa.amsl.com
Delivered-To: savi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 346DC21F8BAD for <savi@ietfa.amsl.com>; Tue, 18 Oct 2011 11:11:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.329
X-Spam-Level:
X-Spam-Status: No, score=-103.329 tagged_above=-999 required=5 tests=[AWL=-0.030, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bYph3khd62rc for <savi@ietfa.amsl.com>; Tue, 18 Oct 2011 11:11:31 -0700 (PDT)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by ietfa.amsl.com (Postfix) with ESMTP id 4D53F21F8BA2 for <savi@ietf.org>; Tue, 18 Oct 2011 11:11:31 -0700 (PDT)
Received: by gyh20 with SMTP id 20so1051145gyh.31 for <savi@ietf.org>; Tue, 18 Oct 2011 11:11:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=moUKLWvPJpI6FFu7PS1bUq5RdN56v9p7PKSvD3+2IzE=; b=tPLklq7ER8WJM9aGoJ7q+1ImwM+Iz9m6JYePbZH7uOMIlJ4NecWZIOdstewEPyj4cN ACmgbuh+EV8fl/daK0NGBttTzJ3cn67czHtcCwh+8BvFj+1bDYYi1ucTbntMBaTBTYNo D4v9ccmU+FvZZEPGT0ZJXsw9WP+rDBgK/2Sp0=
MIME-Version: 1.0
Received: by 10.236.113.136 with SMTP id a8mr5212186yhh.28.1318961490831; Tue, 18 Oct 2011 11:11:30 -0700 (PDT)
Received: by 10.147.137.16 with HTTP; Tue, 18 Oct 2011 11:11:30 -0700 (PDT)
In-Reply-To: <003201cc8a85$9b8fae70$d2af0b50$@it.uc3m.es>
References: <4DC19DD5.4040209@piuha.net> <4E970019.4000806@it.uc3m.es> <CAA7e52pG7cOyTVUsiPc-W+xusEcKAOzo2MGRnNkno4YoY_zLhA@mail.gmail.com> <CAA7e52o2bOuvS2M-t8z7febN0pV0MPtLBYMgSwVxUierrzBmPw@mail.gmail.com> <003201cc8a85$9b8fae70$d2af0b50$@it.uc3m.es>
Date: Tue, 18 Oct 2011 20:11:30 +0200
Message-ID: <CAA7e52qtB78wYtzoSpx21oNixyCuH48Q6VUsszNv2gHooCWHCA@mail.gmail.com>
From: Jean-Michel Combes <jeanmichel.combes@gmail.com>
To: Alberto García <alberto@it.uc3m.es>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: draft-ietf-savi-fcfs@tools.ietf.org, SAVI Mailing List <savi@ietf.org>
Subject: Re: [savi] AD review of draft-ietf-savi-fcfs
X-BeenThere: savi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Mailing list for the SAVI working group at IETF <savi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/savi>, <mailto:savi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/savi>
List-Post: <mailto:savi@ietf.org>
List-Help: <mailto:savi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/savi>, <mailto:savi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Oct 2011 18:11:32 -0000
Hi, 2011/10/14 Alberto García <alberto@it.uc3m.es>: > Hi > > | -----Mensaje original----- > | De: savi-bounces@ietf.org [mailto:savi-bounces@ietf.org] En nombre de > | Jean-Michel Combes > | Enviado el: jueves, 13 de octubre de 2011 17:57 > | Para: marcelo bagnulo braun > | CC: draft-ietf-savi-fcfs@tools.ietf.org; SAVI Mailing List > | Asunto: Re: [savi] AD review of draft-ietf-savi-fcfs > | > | Sorry, in fact, proxy SEND checks validity of SENDized ND exchanges > (draft- > | ietf-csi-proxy-send-05, section 5.2.1, 1.B). So, proxy SEND could be used > but: > | - proxy SEND requires hosts, in the network, are compliant with proxy > SEND > > Yes. We should assume the following scenario (scenario #1): a link in which > all receivers are capable of processing proxy SEND messages (aka 'SPND > nodes'), and nodes either generate SEND or Proxy SEND messages. Agree. > > | - proxy SEND is not "transparent" and so SAVI device will lose its > | "invisibility" feature > > I don't understand this. With proxy SEND, the nodes know there is a proxy SEND entity (based on the Proxy Signature Option), that could act as SAVI device too (i.e., an useful information for a potential attacker). With SEND SAVI, IIRC, the SAVI device is not visible for the nodes on the link (as the SAVI device uses SENDized NUD messages, it looks like to a common SEND node). > Maybe you are thinking about a different deployment scenario to the one I > commented above, an alternative way of 'mixing' SAVI and proxy SEND, in > which SAVI devices would act as Proxy SEND devices for non-SEND nodes > (scenario #2). no no, cf. above :) > I think this is a bad idea, because it provides without reason the same > confidence to SEND and non-SEND devices, and I'm sure that this is not what > we want to do. In the examples shown in the Proxy SEND draft, there is a > strong security link between the Proxy SEND device and the proxied nodes. > > > | - proxy SEND requires many actions (certificate management, IP packet > | modification, etc) and I am not sure that SAVI device will be able to do > this > | as in common use cases the SAVI device is a L2 device. > In scenario #1, SAVI devices only validate Proxy SEND messages. They only > need to have the same capabilities of SPND nodes. So this features you > comment are not needed. > I think adding proxy SEND validation to SEND SAVI would be quite simple, and > without much trouble. I think you (or is it me? :)) missed the point from Jari: from what I understood, Jari's question is "Is it possible to use proxy SEND (combined with FCFS SAVI) instead of SEND SAVI?". Jari, confirmation? Best regards, JMC. > > Makes sense? > If the answer is 'yes', then > - I could add some comment on Proxy SEND in the SEND SAVI document > - A line in the fcfs-savi document such as the current 'So, when SEND is > deployed, it is recommended to use SEND SAVI' (or could be also this > alternative text 'So, when SEND or Proxy SEND is deployed, it is recommended > to use SEND SAVI') sounds ok to me. > > Regards, > Alberto > > | - proxy SEND would need an API with FCFS SAVI > | > | Best regards. > | > | JMC. > | > | 2011/10/13 Jean-Michel Combes <jeanmichel.combes@gmail.com>: > | > Hi, > | > > | > 2011/10/13 marcelo bagnulo braun <marcelo@it.uc3m.es>: > | >> Hi Jari, > | >> > | >> Please find the replies below marked with MB> > | >> > | >> > | >> El 04/05/11 20:41, Jari Arkko escribió: > | >>> > | > > | > [snip] > | > > | >> > | >>>> So, when SEND is deployed, it is recommended to use SEND SAVI > | >>>> [I-D.ietf-savi-send > | >>>> <http://tools.ietf.org/html/draft-ietf-savi-fcfs-09#ref-I-D.ietf-sa > | >>>> vi-send>] > | >>>> rather than FCFS SAVI." > | >>> > | >>> Is there some reason why proxy SEND cannot be employed here? > | >>> > | >> > | >> MB> I will let Alberto to reply this one. > | > > | > This text comes from my review as shepherd of this document. > | > > | > As proxy SEND doesn't permit to check the validity of SENDized ND > | > exchanges, IMHO, proxy SEND cannot be used easily. > | > > | > Best regards. > | > > | > JMC. > | > > | >> > | >> Regards, marcelo > | >> > | >> > | >>> Jari > | >>> > | >>> > | >> > | >> > | >> _______________________________________________ > | >> savi mailing list > | >> savi@ietf.org > | >> https://www.ietf.org/mailman/listinfo/savi > | >> > | > > | _______________________________________________ > | savi mailing list > | savi@ietf.org > | https://www.ietf.org/mailman/listinfo/savi > >
- [savi] AD review of draft-ietf-savi-fcfs Jari Arkko
- Re: [savi] AD review of draft-ietf-savi-fcfs Erik Nordmark
- Re: [savi] AD review of draft-ietf-savi-fcfs Jari Arkko
- Re: [savi] AD review of draft-ietf-savi-fcfs Erik Nordmark
- Re: [savi] AD review of draft-ietf-savi-fcfs marcelo bagnulo braun
- Re: [savi] AD review of draft-ietf-savi-fcfs Jean-Michel Combes
- Re: [savi] AD review of draft-ietf-savi-fcfs Jean-Michel Combes
- Re: [savi] AD review of draft-ietf-savi-fcfs Alberto García
- Re: [savi] AD review of draft-ietf-savi-fcfs Jean-Michel Combes