[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [dhcwg] A new draft of draft-jiang-dhc-secure-dhcpv6 is submitted. Comments are welcome!

To: <kre at munnari.OZ.AU>
Subject: Re: [dhcwg] A new draft of draft-jiang-dhc-secure-dhcpv6 is submitted. Comments are welcome!
From: "Bernie Volz (volz)" <volz at cisco.com>
Date: Mon, 14 Jul 2008 09:41:45 -0400
Authentication-results: rtp-dkim-1; header.From=volz at cisco.com; dkim=pass ( sig from cisco.com/rtpdkim1001 verified; );
Cc: dhcwg at ietf.org, "Mark Stapp $mjs$" <mjs at cisco.com>
Delivered-to: ietfarch-dhcwg-web-archive at core3.amsl.com
Delivered-to: dhcwg at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=2309; t=1216042909; x=1216906909; c=relaxed/simple; s=rtpdkim1001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=volz at cisco.com; z=From:=20=22Bernie=20Volz=20(volz)=22=20<volz at cisco.com> |Subject:=20RE=3A=20[dhcwg]=20A=20new=20draft=20of=20draft- jiang-dhc-secure-dhcpv6=20is=20submitted.=20Comments=20are=2 0welcome!=20 |Sender:=20 |To:=20<kre at munnari.OZ.AU>; bh=jzg7Tybn9x5tNVhRSjTVc0bsEREzq+Ytxp++8cGy8i8=; b=SJSB7Uk2aPVcrmLr7hTsE3yZc08jQVFece5aCWEL7DKn3GA4Wni/JSKpC7 Mzxsryq3TYoXXtOI2oaRSNjTevRhErWfAXBv2zoCsxgup6H+gEAfU/8/BT2R aqe692Rvgh;
In-reply-to: <13363.1216042143@epsilon.noi.kre.to>
List-archive: <https://www.ietf.org/mailman/private/dhcwg>
List-help: <mailto:dhcwg-request@ietf.org?subject=help>
List-id: <dhcwg.ietf.org>
List-post: <mailto:dhcwg@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
References: <8E296595B6471A4689555D5D725EBB21080C9F72@xmb-rtp-20a.amer.cisco.com> <808.1216031570@epsilon.noi.kre.to> <005401c8e5b0$4607f2f0$c80c6f0a@china.huawei.com> <13363.1216042143@epsilon.noi.kre.to>
Sender: dhcwg-bounces at ietf.org
Thread-index: AcjltcB+qSfiS0YDSL+JZf2sx2CDKgAAGQew
Thread-topic: [dhcwg] A new draft of draft-jiang-dhc-secure-dhcpv6 is submitted. Comments are welcome!

>Again, I think it is to allow clients to simplify their code, which I
>suspect many will do anyway, and that it can be done without any real
>impact upon the server.

How does this simplify the client implementation?

The steps are the same:
- Determine the key being used for the transaction.
- Locate the AUTH or CGA option.
- Generate the hash over the message (perhaps setting the fields in the
AUTH/CGA option to some other value before generating the hash; storing
the overwritten bytes elsewhere) and concatentating anything needed for
generating the hash to the message (if appropriate).
- Validate the hash.

So, what's the benefit of putting the AUTH or CGA or whatever option
last? (Even if the option was last, the steps to locate it are still the
same.)

--

I think at this point we've (I've) wasted enough bandwidth on this
issue.

- Bernie

-----Original Message-----
From: kre at munnari.OZ.AU [mailto:kre at munnari.OZ.AU] 
Sent: Monday, July 14, 2008 9:29 AM
To: Bernie Volz (volz)
Cc: Sean Shuo Shen; Mark Stapp (mjs); Sheng Jiang; dhcwg at ietf.org
Subject: Re: [dhcwg] A new draft of draft-jiang-dhc-secure-dhcpv6 is
submitted. Comments are welcome! 

    Date:        Mon, 14 Jul 2008 08:56:09 -0400
    From:        "Bernie Volz (volz)" <volz at cisco.com>
    Message-ID:
<8E296595B6471A4689555D5D725EBB21080C9F72 at xmb-rtp-20a.amer.cisco.com>

  | And, what if there is another option that states it needs to be
last?

Yes, that's a problem, there can be only one (non-exclusive0 option with
that requirement.   But "last" tends to only make sense for auth type
options, options whose value depends upon all the other data in the
packet.

That's why my earlier message mentioned the possibility of multiple auth
options (which to me probably makes no sense, but ...)

  | If there is no technical reason, then drop the requirement. If it
makes
  | it easier to implement, that is up to the implementation to decide
to
  | do; not up to the standard to mandate it.

Again, I think it is to allow clients to simplify their code, which I
suspect many will do anyway, and that it can be done without any real
impact upon the server.

Also note I'm talking about the proposed CGA signature option, not the
existing AUTH option.

kre

_______________________________________________
dhcwg mailing list
dhcwg at ietf.org
https://www.ietf.org/mailman/listinfo/dhcwg

References:
- Re: [dhcwg] A new draft of draft-jiang-dhc-secure-dhcpv6 is submitted. Comments are welcome!
  - From: Bernie Volz (volz)
- Re: [dhcwg] A new draft of draft-jiang-dhc-secure-dhcpv6 is submitted. Comments are welcome!
  - From: Robert Elz
- Re: [dhcwg] A new draft of draft-jiang-dhc-secure-dhcpv6 is submitted. Comments are welcome!
  - From: Robert Elz

Prev by Date: Re: [dhcwg] A new draft of draft-jiang-dhc-secure-dhcpv6 is submitted. Comments are welcome!
Next by Date: Re: [dhcwg] A new draft of draft-jiang-dhc-secure-dhcpv6 is submitted. Comments are welcome!
Previous by thread: Re: [dhcwg] A new draft of draft-jiang-dhc-secure-dhcpv6 is submitted. Comments are welcome!
Next by thread: Re: [dhcwg] A new draft of draft-jiang-dhc-secure-dhcpv6 is submitted. Comments are welcome!
Index(es):
- Date
- Thread