server authentication? [Re: [v6tc] I-D ACTION:draft-palet-v6ops-tun-auto-disc-03.txt (fwd)]
Pekka Savola <pekkas@netcore.fi> Mon, 28 February 2005 19:21 UTC
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA25260; Mon, 28 Feb 2005 14:21:02 -0500 (EST)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1D5qSn-0006dm-EV; Mon, 28 Feb 2005 14:21:53 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1D5qR5-0000OX-Pq; Mon, 28 Feb 2005 14:20:07 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1D5qR4-0000OS-7f for v6tc@megatron.ietf.org; Mon, 28 Feb 2005 14:20:06 -0500
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA25001 for <v6tc@ietf.org>; Mon, 28 Feb 2005 14:20:05 -0500 (EST)
Received: from netcore.fi ([193.94.160.1]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1D5qRq-0006bn-Ib for v6tc@ietf.org; Mon, 28 Feb 2005 14:20:56 -0500
Received: from localhost (pekkas@localhost) by netcore.fi (8.11.6/8.11.6) with ESMTP id j1SJJf007770; Mon, 28 Feb 2005 21:19:43 +0200
Date: Mon, 28 Feb 2005 21:19:40 +0200
From: Pekka Savola <pekkas@netcore.fi>
To: Jeroen Massar <jeroen@unfix.org>
Subject: server authentication? [Re: [v6tc] I-D ACTION:draft-palet-v6ops-tun-auto-disc-03.txt (fwd)]
In-Reply-To: <1109607008.9918.149.camel@firenze.zurich.ibm.com>
Message-ID: <Pine.LNX.4.61.0502282110510.7540@netcore.fi>
References: <Pine.LNX.4.61.0501242330490.24894@netcore.fi> <Pine.LNX.4.61.0502091022220.25523@netcore.fi> <1109364447.20338.47.camel@firenze.zurich.ibm.com> <Pine.LNX.4.61.0502260805280.18825@netcore.fi> <1109586053.9918.56.camel@firenze.zurich.ibm.com> <6AC79F9B-899C-11D9-94B3-000A95928574@kurtis.pp.se> <1109607008.9918.149.camel@firenze.zurich.ibm.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: c1c65599517f9ac32519d043c37c5336
Cc: v6tc@ietf.org
X-BeenThere: v6tc@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: v6tc.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/v6tc>, <mailto:v6tc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/v6tc>
List-Post: <mailto:v6tc@ietf.org>
List-Help: <mailto:v6tc-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/v6tc>, <mailto:v6tc-request@ietf.org?subject=subscribe>
Sender: v6tc-bounces@ietf.org
Errors-To: v6tc-bounces@ietf.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 4d87d2aa806f79fed918a62e834505ca
On Mon, 28 Feb 2005, Jeroen Massar wrote: > On Mon, 2005-02-28 at 16:21 +0100, Kurt Erik Lindqvist wrote: >> My concern is that you still have no idea if you are talking to the TSP >> server you think you are talking to. > > There is quite a funny problem here ;) > > The TEP server gets automatically discovered, thus everybody who deploys > one would need to have the same cert, otherwise the client can't verify > it being the 'correct' TEP. But with everybody having the cert, > everybody can setup a bogus one... > > Maybe we should have shim6 finished before this ? Then one could use the > identifier as the verification mechanism... This issue is somewhat offtopic from _discovery_, but was mentioned briefly earlier under "mutual authentication", without much discussion. One can indeed raise a question how strongly the server should authenticate the client, and how strongly the client should authenticate the server. If the discovery mechanism has potential for giving ambiguous responses, it can be argued that the need for the client to authenticate the server is greater (but probably only slightly). There can be a number of authentication methods in the _configuration protocol_ (and not necessarily the endpoint discovery), but a major question is how many roundtrips the clients want to waste in the authentication. At least in some scenarios, doing this may not be all that interesting. As an example of configuration protocol client<->server authentication, draft-parent-v6tc-protocol-exploration-01.txt gives an overview how to use SEND or DHCPv6 + authentication. Both can guarantee that you are talking to the server you think you're talking to. So, this does not necessarily need to be addressed in the end-point discovery part of the solution, though the properties of the discovery may affect the requirements level of the authentication. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings _______________________________________________ v6tc mailing list v6tc@ietf.org https://www1.ietf.org/mailman/listinfo/v6tc
- [v6tc] I-D ACTION:draft-palet-v6ops-tun-auto-disc… Pekka Savola
- Re: [v6tc] I-D ACTION:draft-palet-v6ops-tun-auto-… Pekka Savola
- Re: [v6tc] I-D ACTION:draft-palet-v6ops-tun-auto-… Alain Durand
- Re: [v6tc] I-D ACTION:draft-palet-v6ops-tun-auto-… Pekka Savola
- Re: [v6tc] I-D ACTION:draft-palet-v6ops-tun-auto-… Kurt Erik Lindqvist
- Re: [v6tc] I-D ACTION:draft-palet-v6ops-tun-auto-… Pekka Savola
- Re: [v6tc] I-D ACTION:draft-palet-v6ops-tun-auto-… Kurt Erik Lindqvist
- Re: [v6tc] I-D ACTION:draft-palet-v6ops-tun-auto-… Jeroen Massar
- Re: [v6tc] I-D ACTION:draft-palet-v6ops-tun-auto-… Gert Doering
- Re: [v6tc] I-D ACTION:draft-palet-v6ops-tun-auto-… Jeroen Massar
- Re: [v6tc] I-D ACTION:draft-palet-v6ops-tun-auto-… Gert Doering
- use of PPP [Re: [v6tc] I-D ACTION:draft-palet-v6o… Pekka Savola
- Re: [v6tc] I-D ACTION:draft-palet-v6ops-tun-auto-… Pekka Savola
- Re: [v6tc] I-D ACTION:draft-palet-v6ops-tun-auto-… Kurt Erik Lindqvist
- Re: [v6tc] I-D ACTION:draft-palet-v6ops-tun-auto-… Jeroen Massar
- server authentication? [Re: [v6tc] I-D ACTION:dra… Pekka Savola
- Re: [v6tc] I-D ACTION:draft-palet-v6ops-tun-auto-… Alain Durand
- Re: use of PPP [Re: [v6tc] I-D ACTION:draft-palet… Alain Durand
- Re: [v6tc] I-D ACTION:draft-palet-v6ops-tun-auto-… Jeroen Massar
- Re: [v6tc] I-D ACTION:draft-palet-v6ops-tun-auto-… Kurt Erik Lindqvist
- Re: server authentication? [Re: [v6tc] I-D ACTION… Kurt Erik Lindqvist
- Re: [v6tc] I-D ACTION:draft-palet-v6ops-tun-auto-… Kurt Erik Lindqvist
- Re: [v6tc] I-D ACTION:draft-palet-v6ops-tun-auto-… Alain Durand
- Re: [v6tc] I-D ACTION:draft-palet-v6ops-tun-auto-… Kurt Erik Lindqvist
- [v6tc] About the (un)upgradability of the NAT box Alain Durand
- [v6tc] Re: About the (un)upgradability of the NAT… Kurt Erik Lindqvist
- [v6tc] Re: About the (un)upgradability of the NAT… Pekka Savola
- [v6tc] Re: About the (un)upgradability of the NAT… Kurt Erik Lindqvist
- Re: [v6tc] Re: About the (un)upgradability of the… Soininen Jonne (Nokia-NET/Helsinki)
- Re: [v6tc] Re: About the (un)upgradability of the… Miguel Angel Diaz
- Re: server authentication? [Re: [v6tc] I-DACTION:… Miguel Angel Diaz
- Re: [v6tc] Re: About the (un)upgradability of the… Jeroen Massar
- Re: server authentication? [Re: [v6tc] I-DACTION:… Kurt Erik Lindqvist
- Re: server authentication? [Re: [v6tc] I-DACTION:… Pekka Savola
- Re: server authentication? [Re: [v6tc] I-DACTION:… Jeroen Massar
- Re: server authentication? [Re: [v6tc] I-DACTION:… Kurt Erik Lindqvist