Re: Node Requirements: Issue 13 - CGA/SeND support

To: Hesham Soliman <hesham at elevatemobile.com>
Subject: Re: Node Requirements: Issue 13 - CGA/SeND support
From: Eric Levy-Abegnoli <elevyabe at cisco.com>
Date: Fri, 24 Jul 2009 15:54:23 +0200
Authentication-results: sj-dkim-2; header.From=elevyabe at cisco.com; dkim=pass ( sig from cisco.com/sjdkim2002 verified; );
Cc: Thomas Narten <narten at us.ibm.com>, john.loughney at nokia.com, julienl at qualcomm.com, ipv6 at ietf.org, "\(Arnaud Ebalard\)" <arno at natisbad.org>, Brian E Carpenter <brian.e.carpenter at gmail.com>
Delivered-to: ipv6 at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=1183; t=1248443667; x=1249307667; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=elevyabe at cisco.com; z=From:=20Eric=20Levy-Abegnoli=20<elevyabe at cisco.com> |Subject:=20Re=3A=20Node=20Requirements=3A=20Issue=2013=20- =20CGA/SeND=20support |Sender:=20; bh=rXacXoVwYxXYd/vcHi1M3h0y/gMvCUMrQ6+9BM1s/ok=; b=Uegsk9SwWF6QXNTebtpgq8UhU751eKenNLnfjamKeE8T73DxhCOX+4jA2h uoDWdFIufq87AWmDiuljRrPGUcJYA3bnoj+Kdq0PhJTKaKZRPjYK3zUNDYn9 n5XK3v47Gs;
In-reply-to: <C68FF6DE.E709%hesham at elevatemobile.com>
List-archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-help: <mailto:ipv6-request@ietf.org?subject=help>
List-id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-post: <mailto:ipv6@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
References: <C68FF6DE.E709%hesham at elevatemobile.com>
User-agent: Thunderbird 2.0.0.22 (Windows/20090605)

Hesham Soliman a écrit :

SeND is theoretically not easy to deploy - you need to provision

cryptography material on all nodes.


=> Why? You only need to provision routers if you want them to support proof
of prefix ownership, but you certainly don't need to provision all nodes,
that's the advantage of CGAs.

That's true for CGA, but not for router authorization. Any node thatwant to verify router authorization need to be provisionned with theanchor certificate.

Eric

Hesham



That implementations are not even

properly integrated into operating systems makes it worse. I somewhat

expect that somewhat secure networks will use network-side filtering as is

done for ARP instead, as it requires no host-side changes.



I don't think it deserves a "SHOULD" at this point.



--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6 at ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------

Follow-Ups:
- Re: Node Requirements: Issue 13 - CGA/SeND support
  - From: Hesham Soliman

References:
- Re: Node Requirements: Issue 13 - CGA/SeND support
  - From: Hesham Soliman

Prev by Date: Re: Node Requirements: Issue 13 - CGA/SeND support
Next by Date: Re: Node Requirements: Issue 13 - CGA/SeND support
Previous by thread: Re: Node Requirements: Issue 13 - CGA/SeND support
Next by thread: Re: Node Requirements: Issue 13 - CGA/SeND support
Index(es):
- Date
- Thread

Re: Node Requirements: Issue 13 - CGA/SeND support

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.