Re: [secdir] secdir review of draft-ietf-csi-dhcpv6-cga-ps-04.txt

Sheng Jiang <> Sat, 09 October 2010 02:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 49D4D3A679F; Fri, 8 Oct 2010 19:40:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.612
X-Spam-Status: No, score=-0.612 tagged_above=-999 required=5 tests=[AWL=-0.117, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LQidKQGPXRb9; Fri, 8 Oct 2010 19:40:12 -0700 (PDT)
Received: from (unknown []) by (Postfix) with ESMTP id 0BA173A677C; Fri, 8 Oct 2010 19:40:12 -0700 (PDT)
Received: from (szxga01-in []) by (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <>; Sat, 09 Oct 2010 10:41:07 +0800 (CST)
Received: from ([]) by (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <>; Sat, 09 Oct 2010 10:41:07 +0800 (CST)
Received: from j66104a ([]) by (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTPA id <>; Sat, 09 Oct 2010 10:41:07 +0800 (CST)
Date: Sat, 09 Oct 2010 10:41:08 +0800
From: Sheng Jiang <>
In-reply-to: <>
To: 'Stephen Hanna' <>,,,,
Message-id: <005601cb675b$6dbe1610$>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.3664
X-Mailer: Microsoft Office Outlook 11
Content-type: text/plain; charset="us-ascii"
Content-transfer-encoding: 7bit
Thread-index: Acth3WZtFoUbk+23ReaFVG39Xm1qzwFeQ3IQ
X-Mailman-Approved-At: Sun, 10 Oct 2010 08:25:44 -0700
Subject: Re: [secdir] secdir review of draft-ietf-csi-dhcpv6-cga-ps-04.txt
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 09 Oct 2010 02:40:13 -0000

 Hi, Stephen,

Sorry for the late reply. We was in Chinese National Holiday. Please see my reply below.

Best regards,


> -----Original Message-----
> From: Stephen Hanna [] 
> Sent: Saturday, October 02, 2010 10:56 AM
> To:;;; 
> Subject: secdir review of draft-ietf-csi-dhcpv6-cga-ps-04.txt
> I have reviewed this document as part of the security 
> directorate's ongoing effort to review all IETF documents 
> being processed by the IESG. These comments were written 
> primarily for the benefit of the security area directors. 
> Document editors and WG chairs should treat these comments 
> just like any other last call comments.
> This document discusses several ways that DHCPv6 can be used 
> with Cryptographically Generated Addresses (CGA), pointing 
> out benefits and concerns. While the document does discuss 
> security issues in several places, it often lapses into vague 
> terminology like "one should carefully consider the impact on 
> security". Given that the primary benefit of using CGAs is to 
> improve security by providing address validation without 
> complex key distribution, carefully analyzing security issues 
> seems necessary for this document.
> On the other hand, the Document Shepherd Write-up for this 
> document says "The WG was not very energetic on this 
> document. The document describes possible applications of 
> CGAs and DHCP interaction and when the WG was asked whether 
> there was enough interest to work on solutions, the reply was 
> silence. As such, the consensus is based on most of the WG 
> being indifferent." So maybe this document is only intended 
> as a sketch of possible issues that can be explored later in 
> a more in-depth document if someone is interested in doing 
> so. If that's the case, maybe it's OK to not fully analyze 
> all the security implications. However, in that case, I think 
> the Security Considerations section should state clearly that 
> this document does not contain a complete security analysis 
> and any further work in this area should include such an 
> analysis. Nobody should implement the techniques described in 
> this document without conducting that more thorough analysis.

I guess that's the case. I am fine to add the statement you suggested into the security
> I noticed a few typos. On page 6, the word "certificated" 
> should be "certified". Three sentences later, "depend on 
> policies" should be "depending on policies". And the draft 
> names in the Change Log say "dhacpv6" instead of "dhcpv6".

Thanks. We will fix it with other comments in the future version.


> Thanks,
> Steve