[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [dhcwg] A new draft of draft-jiang-dhc-secure-dhcpv6 is submitted. Comments are welcome!

To: "Sean Shuo Shen" <sshen at huawei.com>, <kre at munnari.OZ.AU>
Subject: Re: [dhcwg] A new draft of draft-jiang-dhc-secure-dhcpv6 is submitted. Comments are welcome!
From: "Bernie Volz (volz)" <volz at cisco.com>
Date: Mon, 14 Jul 2008 10:16:19 -0400
Authentication-results: rtp-dkim-2; header.From=volz at cisco.com; dkim=pass ( sig from cisco.com/rtpdkim2001 verified; );
Cc: dhcwg at ietf.org, "Mark Stapp $mjs$" <mjs at cisco.com>
Delivered-to: ietfarch-dhcwg-web-archive at core3.amsl.com
Delivered-to: dhcwg at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=2924; t=1216044980; x=1216908980; c=relaxed/simple; s=rtpdkim2001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=volz at cisco.com; z=From:=20=22Bernie=20Volz=20(volz)=22=20<volz at cisco.com> |Subject:=20RE=3A=20[dhcwg]=20A=20new=20draft=20of=20draft- jiang-dhc-secure-dhcpv6=20is=20submitted.=20Comments=20are=2 0welcome! |Sender:=20 |To:=20=22Sean=20Shuo=20Shen=22=20<sshen at huawei.com>,=20<kr e at munnari.OZ.AU>; bh=LiBWTVU5mJ3g+dxLLukHDjsxm4/JOsxyU8gogyaJl6k=; b=TbSM6XcIPq3R09fd4+MfibCPv/GG7l0R0lstYM6DZZ6kW/W1VqT5qFA+Qm +UxewKmurFlxoeEdFS8ECo5JLIJgpkVklnDs4531+wwk1bmibJ786I+uhF82 NvtlE4lhKO;
In-reply-to: <005401c8e5b0$4607f2f0$c80c6f0a@china.huawei.com>
List-archive: <https://www.ietf.org/mailman/private/dhcwg>
List-help: <mailto:dhcwg-request@ietf.org?subject=help>
List-id: <dhcwg.ietf.org>
List-post: <mailto:dhcwg@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
References: <808.1216031570@epsilon.noi.kre.to> <005401c8e5b0$4607f2f0$c80c6f0a@china.huawei.com>
Sender: dhcwg-bounces at ietf.org
Thread-index: AcjlnSQy+n1SRyNiRee/VgVk4xYh2wAER/KQAAMizFA=
Thread-topic: [dhcwg] A new draft of draft-jiang-dhc-secure-dhcpv6 is submitted. Comments are welcome!

If you reworked section 5.2 of the draft as follows you'd solve the
option ordering issue:

       Signature       A variable-length field containing a digital 
                       signature. The signature value is computed with 
                       the hash algorithm and the signature algorithm, 
                       as described in HA-id and SA-id. The signature 
                       constructed by using the sender's private key 
                       over the following sequence of octets: 
                        
                       1. The 128-bit CGA Message Type tag value for 
                       Secure DHCPv6, 0x81be a1eb 0021 ce7e caa9 4090 
                       0665 d2e0 02c2. (The tag value has been 
                       generated randomly by the editor of this 
                       specification.)
                        
                       2. The 128-bit Source Address field from the IP 
                       header. 
                        
                       3. The 128-bit Destination Address field from 
                       the IP header. 
                        
                       4. The entire DHCPv6 message with the Signature
                       field of this option set to all zero's.

If may even be better to have it read:
                        
                       1. The entire DHCPv6 message with the Signature
                       field of this option set to all zero's.

                       2. The 128-bit CGA Message Type tag value for 
                       Secure DHCPv6, 0x81be a1eb 0021 ce7e caa9 4090 
                       0665 d2e0 02c2. (The tag value has been 
                       generated randomly by the editor of this 
                       specification.)
                        
                       3. The 128-bit Source Address field from the IP 
                       header. 
                        
                       4. The 128-bit Destination Address field from 
                       the IP header. 

The reason is that it is often easier to (temporarily) add data at the
end of the message than to have allocated sufficient space BEFORE it
(and at least KRE wants to avoid having to use multiple buffer fragments
to hash over).

Also, I'm not sure what benefit the "reserved" field in the option has
(other than making the diagram easier to draw) and I'd suggest removing
it unless you have a good argument for keeping it. I think it is there
in RFC 3971 for the simple reason that there is attempt to align IPv6
header fields so that routers and the like have quicker access to them.
As the DHCPv6 message has no such alignment requirements and the start
of an option can be on any byte boundry, there is no benefit to having
this field to "align" the buffer.

- Bernie
_______________________________________________
dhcwg mailing list
dhcwg at ietf.org
https://www.ietf.org/mailman/listinfo/dhcwg

Follow-Ups:
- Re: [dhcwg] A new draft of draft-jiang-dhc-secure-dhcpv6 is submitted. Comments are welcome!
  - From: Sean Shuo Shen

References:
- Re: [dhcwg] A new draft of draft-jiang-dhc-secure-dhcpv6 is submitted. Comments are welcome!
  - From: Robert Elz

Prev by Date: Re: [dhcwg] A new draft of draft-jiang-dhc-secure-dhcpv6 is submitted. Comments are welcome!
Next by Date: Re: [dhcwg] A new draft of draft-jiang-dhc-secure-dhcpv6 is submitted. Comments are welcome!
Previous by thread: Re: [dhcwg] A new draft of draft-jiang-dhc-secure-dhcpv6 is submitted. Comments are welcome!
Next by thread: Re: [dhcwg] A new draft of draft-jiang-dhc-secure-dhcpv6 is submitted. Comments are welcome!
Index(es):
- Date
- Thread