From jari.arkko@lmf.ericsson.se Mon Dec 1 06:01:32 2003 Received: from albatross-ext.wise.edt.ericsson.se (albatross-ext.wise.edt.ericsson.se [193.180.251.49]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA05859 for ; Mon, 1 Dec 2003 06:01:31 -0500 (EST) Received: from esealnt611.al.sw.ericsson.se ([153.88.254.121]) by albatross-ext.wise.edt.ericsson.se (8.12.10/8.12.10/WIREfire-1.8) with ESMTP id hB1Av9I2008367; Mon, 1 Dec 2003 11:57:10 +0100 (MET) Received: from fnatte.sw.ericsson.se ([153.88.242.8]) by esealnt611.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id XW891LN4; Mon, 1 Dec 2003 11:57:30 +0100 Received: from sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by fnatte.sw.ericsson.se (8.12.10/8.12.10) with ESMTP id hB1Av2wg025999; Mon, 1 Dec 2003 11:57:04 +0100 (MET) Received: from prdxweb.sw.ericsson.se (localhost [127.0.0.1]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hB1ArgIt026348; Mon, 1 Dec 2003 11:53:42 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.12.10/8.12.10/Submit) id hB1Argv9026347; Mon, 1 Dec 2003 11:53:42 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from n97.nomadiclab.com (teldanex.hiit.fi [212.68.5.99]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hB1ArfIt026343 for ; Mon, 1 Dec 2003 11:53:41 +0100 (MET) Received: from ericsson.com (teldanex.local.nikander.com [192.168.0.194]) by n97.nomadiclab.com (Postfix) with ESMTP id C76461C; Mon, 1 Dec 2003 13:06:42 +0200 (EET) Message-ID: <3FCB1DB9.6070807@ericsson.com> Date: Mon, 01 Dec 2003 12:53:45 +0200 From: Pekka Nikander User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.6b) Gecko/20031119 Thunderbird/0.4a X-Accept-Language: en-us, en MIME-Version: 1.0 To: Michael Richardson Cc: ietf-send@standards.ericsson.net Subject: Re: SEND with link-layer security References: <13586.1070224425@marajade.sandelman.ottawa.on.ca> In-Reply-To: <13586.1070224425@marajade.sandelman.ottawa.on.ca> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit Michael Richardson wrote: > I believe that there are significant issues if we do not eventually work on > ways to bind link layer security (1x) and network layer security (SEND). Sure, but 1x is not link layer security. 11i aims to be, but but may not quite reach the mark, depending on how you measure. OTOH, re-reading the charter and the proposed new charter (which apparently will not be taken into use before the WG is closed), I think that we should leave this out of scope of the WG. If individual people have interest in working on this area, IMHO (and I guess in James' opinion) it is OK to use this mailing list as a forum if the goal is to produce an individual Informational RFC. For WG activity at this area at least I want first see SEND deployed (at least somewhere) and then work on the area based on deployment experiences. --Pekka Nikander -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Mon Dec 1 06:55:09 2003 Received: from penguin-ext.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [193.180.251.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA06942 for ; Mon, 1 Dec 2003 06:55:08 -0500 (EST) Received: from esealnt613.al.sw.ericsson.se ([153.88.254.125]) by penguin-ext.wise.edt.ericsson.se (8.12.10/8.12.10/WIREfire-1.8) with ESMTP id hB1BnASs019749; Mon, 1 Dec 2003 12:49:11 +0100 (MET) Received: from fnatte.sw.ericsson.se ([153.88.242.8]) by esealnt613.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id XW7Q7STG; Mon, 1 Dec 2003 12:49:10 +0100 Received: from sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by fnatte.sw.ericsson.se (8.12.10/8.12.10) with ESMTP id hB1Bn8wg028637; Mon, 1 Dec 2003 12:49:08 +0100 (MET) Received: from prdxweb.sw.ericsson.se (localhost [127.0.0.1]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hB1BjuIt009466; Mon, 1 Dec 2003 12:45:56 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.12.10/8.12.10/Submit) id hB1Bjt9C009465; Mon, 1 Dec 2003 12:45:55 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from fep21-app.kolumbus.fi (fep21-0.kolumbus.fi [193.229.0.48]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hB1BjsIt009461 for ; Mon, 1 Dec 2003 12:45:54 +0100 (MET) Received: from mta.imail.kolumbus.fi ([193.229.5.114]) by fep21-app.kolumbus.fi with ESMTP id <20031201114551.XGMX13518.fep21-app.kolumbus.fi@mta.imail.kolumbus.fi>; Mon, 1 Dec 2003 13:45:51 +0200 X-Mailer: Openwave WebEngine, version 2.8.10 (webedge20-101-191-20030113) From: To: CC: Subject: Re: SEND with link-layer security Date: Mon, 1 Dec 2003 13:45:51 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-Id: <20031201114551.XGMX13518.fep21-app.kolumbus.fi@mta.imail.kolumbus.fi> Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit > I believe that there are significant issues if we do not eventually work on > ways to bind link layer security (1x) and network layer security (SEND). I agree. But first some background on this issue. I think Michael is thinking about this based on the discussions we have had in the EAP mailing list. Michael presented an attack where someone offers WLAN access to clients. This offer is legitimate in the sense that this someone has a contract with a roaming group. But he is not providing the full service by himself. He simply attracks the customers, NATs their traffic, and sends it off to another WLAN service provider using his own flat fee account. The attacker then collects the roaming fees for a number of users, but leaves all bandwidth cost to the other provider. Anyway, one proposal is that if L2 security would provide the certs for SEND RAs, then we would have a tighter binding between what is happening at L2 and L3. Then an attempt to provide L3 services from someone else would be detected. However, we are still discussing whether this works. It would not prevent NATting, for instance, so it doesn't seem to fix the original attack. Anyway, I personally believe something like this will eventually be needed. So we should work on it... but I fear that it might take some time before we figure out what to do here. Maybe even IETF-IEEE etc discussions. (And it should not hold up SEND.) --Jari -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Mon Dec 1 15:53:39 2003 Received: from albatross-ext.wise.edt.ericsson.se (albatross-ext.wise.edt.ericsson.se [193.180.251.49]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA28998 for ; Mon, 1 Dec 2003 15:53:38 -0500 (EST) Received: from esealnt613.al.sw.ericsson.se ([153.88.254.125]) by albatross-ext.wise.edt.ericsson.se (8.12.10/8.12.10/WIREfire-1.8) with ESMTP id hB1KmXI2022382; Mon, 1 Dec 2003 21:48:54 +0100 (MET) Received: from fnatte.sw.ericsson.se ([153.88.242.8]) by esealnt613.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id XW7RCY0M; Mon, 1 Dec 2003 21:48:33 +0100 Received: from sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by fnatte.sw.ericsson.se (8.12.10/8.12.10) with ESMTP id hB1KmOwg028287; Mon, 1 Dec 2003 21:48:25 +0100 (MET) Received: from prdxweb.sw.ericsson.se (localhost [127.0.0.1]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hB1KivIt015472; Mon, 1 Dec 2003 21:44:57 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.12.10/8.12.10/Submit) id hB1KivOM015471; Mon, 1 Dec 2003 21:44:57 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from fridge.docomolabs-usa.com (key1.docomolabs-usa.com [216.98.102.225]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hB1KisIt015467 for ; Mon, 1 Dec 2003 21:44:55 +0100 (MET) Message-ID: <001801c3b84c$0726bb70$036015ac@dclkempt40> From: "James Kempf" To: Subject: Fw: ID Tracker State Update Notice: draft-ietf-send-psreq Date: Mon, 1 Dec 2003 12:45:16 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit ----- Original Message ----- From: "The IESG" To: ; Sent: Sunday, November 30, 2003 4:30 PM Subject: ID Tracker State Update Notice: draft-ietf-send-psreq > 'State Changes to IESG Evaluation from IESG Evaluation::Revised ID Needed by Margaret Wasserman' > ID Tracker URL: https://datatracker.ietf.org/public/pidtracker.cgi?command=view_id&dTag=9439&rfc_flag=0 > > > -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Mon Dec 1 16:20:46 2003 Received: from albatross-ext.wise.edt.ericsson.se (albatross-ext.wise.edt.ericsson.se [193.180.251.49]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA00592 for ; Mon, 1 Dec 2003 16:20:46 -0500 (EST) Received: from esealnt611.al.sw.ericsson.se ([153.88.254.121]) by albatross-ext.wise.edt.ericsson.se (8.12.10/8.12.10/WIREfire-1.8) with ESMTP id hB1L1fI2024527; Mon, 1 Dec 2003 22:01:52 +0100 (MET) Received: from tjatte.sw.ericsson.se ([153.88.242.9]) by esealnt611.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id XW89LANF; Mon, 1 Dec 2003 22:02:03 +0100 Received: from sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by tjatte.sw.ericsson.se (8.12.10/8.12.10) with ESMTP id hB1L1eXA003698; Mon, 1 Dec 2003 22:01:40 +0100 (MET) Received: from prdxweb.sw.ericsson.se (localhost [127.0.0.1]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hB1KwSIt018714; Mon, 1 Dec 2003 21:58:28 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.12.10/8.12.10/Submit) id hB1KwShI018713; Mon, 1 Dec 2003 21:58:28 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from fridge.docomolabs-usa.com (key1.docomolabs-usa.com [216.98.102.225]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hB1KwQIt018709 for ; Mon, 1 Dec 2003 21:58:26 +0100 (MET) Message-ID: <005901c3b84d$e743f910$036015ac@dclkempt40> From: "James Kempf" To: , Cc: References: <20031201114551.XGMX13518.fep21-app.kolumbus.fi@mta.imail.kolumbus.fi> Subject: Re: SEND with link-layer security Date: Mon, 1 Dec 2003 12:58:41 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit > But first some background on this issue. I think Michael > is thinking about this based on the discussions we have had in > the EAP mailing list. Michael presented an attack where someone > offers WLAN access to clients. This offer is legitimate in the > sense that this someone has a contract with a roaming group. But > he is not providing the full service by himself. He simply > attracks the customers, NATs their traffic, and sends it off > to another WLAN service provider using his own flat fee > account. The attacker then collects the roaming fees for a > number of users, but leaves all bandwidth cost to the > other provider. > I'm not sure I understand the attack. How would the other WLAN provider have to bear the bandwidth cost unless their AP was utilized? It sounds here like you are saying that the rogue has its own APs, right? If that is so, where is the problem with the bandwidth cost going to the other provider? > Anyway, one proposal is that if L2 security would provide > the certs for SEND RAs, then we would have a tighter > binding between what is happening at L2 and L3. Then > an attempt to provide L3 services from someone else > would be detected. However, we are still discussing > whether this works. It would not prevent NATting, > for instance, so it doesn't seem to fix the original > attack. > Certs with L2 info on the router would allow this. > Anyway, I personally believe something like this > will eventually be needed. So we should work on it... > but I fear that it might take some time before we > figure out what to do here. Maybe even IETF-IEEE > etc discussions. (And it should not hold up SEND.) > Yes. jak -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Mon Dec 1 16:54:31 2003 Received: from penguin-ext.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [193.180.251.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA03225 for ; Mon, 1 Dec 2003 16:54:31 -0500 (EST) Received: from esealnt611.al.sw.ericsson.se ([153.88.254.121]) by penguin-ext.wise.edt.ericsson.se (8.12.10/8.12.10/WIREfire-1.8) with ESMTP id hB1LogSs017223; Mon, 1 Dec 2003 22:50:52 +0100 (MET) Received: from tjatte.sw.ericsson.se ([153.88.242.9]) by esealnt611.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id XW89LRW4; Mon, 1 Dec 2003 22:51:03 +0100 Received: from sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by tjatte.sw.ericsson.se (8.12.10/8.12.10) with ESMTP id hB1LofXA004070; Mon, 1 Dec 2003 22:50:41 +0100 (MET) Received: from prdxweb.sw.ericsson.se (localhost [127.0.0.1]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hB1LlPIt000742; Mon, 1 Dec 2003 22:47:25 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.12.10/8.12.10/Submit) id hB1LlPqO000737; Mon, 1 Dec 2003 22:47:25 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from fep02-app.kolumbus.fi (fep02-0.kolumbus.fi [193.229.0.44]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hB1LlOIt000724 for ; Mon, 1 Dec 2003 22:47:24 +0100 (MET) Received: from kolumbus.fi ([62.248.150.240]) by fep02-app.kolumbus.fi with ESMTP id <20031201214724.QZHV27689.fep02-app.kolumbus.fi@kolumbus.fi>; Mon, 1 Dec 2003 23:47:24 +0200 Message-ID: <3FCBB5DE.4030509@kolumbus.fi> Date: Mon, 01 Dec 2003 23:42:54 +0200 From: Jari Arkko User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20031007 X-Accept-Language: en-us, en MIME-Version: 1.0 To: James Kempf CC: mcr@sandelman.ottawa.on.ca, ietf-send@standards.ericsson.net Subject: Re: SEND with link-layer security References: <20031201114551.XGMX13518.fep21-app.kolumbus.fi@mta.imail.kolumbus.fi> <005901c3b84d$e743f910$036015ac@dclkempt40> In-Reply-To: <005901c3b84d$e743f910$036015ac@dclkempt40> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit James Kempf wrote: >>But first some background on this issue. I think Michael >>is thinking about this based on the discussions we have had in >>the EAP mailing list. Michael presented an attack where someone >>offers WLAN access to clients. This offer is legitimate in the >>sense that this someone has a contract with a roaming group. But >>he is not providing the full service by himself. He simply >>attracks the customers, NATs their traffic, and sends it off >>to another WLAN service provider using his own flat fee >>account. The attacker then collects the roaming fees for a >>number of users, but leaves all bandwidth cost to the >>other provider. >> > > > I'm not sure I understand the attack. How would the other WLAN provider have > to bear the bandwidth cost unless their AP was utilized? It sounds here like > you are saying that the rogue has its own APs, right? If that is so, where > is the problem with the bandwidth cost going to the other provider? The rogue provider has a node with two wireless interfaces: one to attrack clients, and another one to connect to the real provider's AP. The rogue provider has to pay for his node and the flat fee account, but the real provider pays all costs related to Internet connectivity. This would not fly as a business if you had to deploy the rogue nodes. But folks might put the required software in their laptops that they carry around anyway. This would also not fly if the cost of flat fee accounts is higher than what you can get as roaming fees. Anyway, we discussed this a bit further on the EAP WG mailing list and agreed with Michael that we need L2 to authenticate advertised access point properties, such as the SSID. (This currently *not* done.) We would also like to get a binding between L2 and L3, to ensure that the L3 services are provided by the same entity that we authenticated to. However, there are limits to what these two measures can achieve. The SSID authentication is useless if the user is not paying attention to the identifier, and the L3 service binding does not prevent someone from NATting the results to another L3 service. --Jari -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Mon Dec 1 17:05:48 2003 Received: from albatross-ext.wise.edt.ericsson.se (albatross-ext.wise.edt.ericsson.se [193.180.251.49]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA04596 for ; Mon, 1 Dec 2003 17:05:47 -0500 (EST) Received: from esealnt611.al.sw.ericsson.se ([153.88.254.121]) by albatross-ext.wise.edt.ericsson.se (8.12.10/8.12.10/WIREfire-1.8) with ESMTP id hB1M24I2005870; Mon, 1 Dec 2003 23:02:24 +0100 (MET) Received: from fnatte.sw.ericsson.se ([153.88.242.8]) by esealnt611.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id XW89LVG9; Mon, 1 Dec 2003 23:02:25 +0100 Received: from sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by fnatte.sw.ericsson.se (8.12.10/8.12.10) with ESMTP id hB1M1pwg001612; Mon, 1 Dec 2003 23:01:51 +0100 (MET) Received: from prdxweb.sw.ericsson.se (localhost [127.0.0.1]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hB1LwmIt002662; Mon, 1 Dec 2003 22:58:48 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.12.10/8.12.10/Submit) id hB1Lwm0u002660; Mon, 1 Dec 2003 22:58:48 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from noxmail.sandelman.ottawa.on.ca (oetest.freeswan.org [205.150.200.166]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hB1LwkIt002655 for ; Mon, 1 Dec 2003 22:58:46 +0100 (MET) Received: from lox.sandelman.ottawa.on.ca (IDENT:root@lox.sandelman.ottawa.on.ca [205.150.200.178]) by noxmail.sandelman.ottawa.on.ca (8.11.6p3/8.11.6) with ESMTP id hB1Lwit17361 for ; Mon, 1 Dec 2003 16:58:44 -0500 (EST) Received: from sandelman.ottawa.on.ca (desk.marajade.sandelman.ca [205.150.200.247]) by lox.sandelman.ottawa.on.ca (8.11.6p3/8.11.6) with ESMTP id hB1M27t25943 for ; Mon, 1 Dec 2003 17:02:07 -0500 (EST) Received: from marajade.sandelman.ottawa.on.ca (mcr@marajade [127.0.0.1]) by sandelman.ottawa.on.ca (8.12.3/8.12.3/Debian-6.6) with ESMTP id hB1LqjpH019464 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for ; Mon, 1 Dec 2003 16:52:45 -0500 Received: from marajade.sandelman.ottawa.on.ca (mcr@localhost) by marajade.sandelman.ottawa.on.ca (8.12.3/8.12.3/Debian-6.6) with ESMTP id hB1Lqipg019460 for ; Mon, 1 Dec 2003 16:52:44 -0500 To: ietf-send@standards.ericsson.net Subject: Re: SEND with link-layer security In-reply-to: Your message of "Mon, 01 Dec 2003 12:58:41 PST." <005901c3b84d$e743f910$036015ac@dclkempt40> Mime-Version: 1.0 (generated by tm-edit 1.8) Content-Type: text/plain; charset=US-ASCII Date: Mon, 01 Dec 2003 16:52:43 -0500 Message-ID: <19459.1070315563@marajade.sandelman.ottawa.on.ca> From: Michael Richardson Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk >>>>> "James" == James Kempf writes: James> I'm not sure I understand the attack. How would the other WLAN James> provider have to bear the bandwidth cost unless their AP was James> utilized? It sounds here like you are saying that the rogue has James> its own APs, right? If that is so, where is the problem with the James> bandwidth cost going to the other provider? http://mail.frascone.com/pipermail/eap/2003-November/001936.html ] ON HUMILITY: to err is human. To moo, bovine. | firewalls [ ] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[ ] mcr@xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[ ] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [ -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Tue Dec 2 13:42:33 2003 Received: from albatross-ext.wise.edt.ericsson.se (albatross-ext.wise.edt.ericsson.se [193.180.251.49]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA01532 for ; Tue, 2 Dec 2003 13:42:32 -0500 (EST) Received: from esealnt613.al.sw.ericsson.se ([153.88.254.125]) by albatross-ext.wise.edt.ericsson.se (8.12.10/8.12.10/WIREfire-1.8) with ESMTP id hB2IbSI2024094; Tue, 2 Dec 2003 19:37:28 +0100 (MET) Received: from fnatte.sw.ericsson.se ([153.88.242.8]) by esealnt613.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id XW7RSMFF; Tue, 2 Dec 2003 19:37:27 +0100 Received: from sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by fnatte.sw.ericsson.se (8.12.10/8.12.10) with ESMTP id hB2IbNwg006112; Tue, 2 Dec 2003 19:37:23 +0100 (MET) Received: from prdxweb.sw.ericsson.se (localhost [127.0.0.1]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hB2IXrIt012195; Tue, 2 Dec 2003 19:33:53 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.12.10/8.12.10/Submit) id hB2IXrPv012192; Tue, 2 Dec 2003 19:33:53 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from mgw-x4.nokia.com (mgw-x4.nokia.com [131.228.20.27]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hB2IXqIt012182 for ; Tue, 2 Dec 2003 19:33:52 +0100 (MET) Received: from esvir03nok.nokia.com (esvir03nokt.ntc.nokia.com [172.21.143.35]) by mgw-x4.nokia.com (Switch-2.2.8/Switch-2.2.8) with ESMTP id hB2IXpQ18457 for ; Tue, 2 Dec 2003 20:33:51 +0200 (EET) Received: from daebh001.NOE.Nokia.com (unverified) by esvir03nok.nokia.com (Content Technologies SMTPRS 4.2.5) with ESMTP id ; Tue, 2 Dec 2003 20:33:48 +0200 Received: from bsebe001.NOE.Nokia.com ([172.19.160.13]) by daebh001.NOE.Nokia.com with Microsoft SMTPSVC(5.0.2195.6747); Tue, 2 Dec 2003 10:32:36 -0800 X-MimeOLE: Produced By Microsoft Exchange V6.0.6487.1 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Subject: RE: ID Tracker State Update Notice: draft-ietf-send-psreq Date: Tue, 2 Dec 2003 13:32:35 -0500 Message-ID: Thread-Topic: ID Tracker State Update Notice: draft-ietf-send-psreq Thread-Index: AcO4TT9+FdifsuerRv+U9O5mirIy1gAtTWLA From: To: , X-OriginalArrivalTime: 02 Dec 2003 18:32:36.0610 (UTC) FILETIME=[A897CE20:01C3B902] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by sw.ericsson.se id hB2IXqIt012186 Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 8bit Just FYI -- I think that all of the IESG comments have been resolved in this version, and I have returned it to the IESG agenda for December 18th. I hope it will be approved then. I'll let you all know what happens. Margaret > -----Original Message----- > From: owner-ietf-send@standards.ericsson.net > [mailto:owner-ietf-send@standards.ericsson.net]On Behalf Of ext James > Kempf > Sent: Monday, December 01, 2003 3:45 PM > To: ietf-send@standards.ericsson.net > Subject: Fw: ID Tracker State Update Notice: draft-ietf-send-psreq > > > > ----- Original Message ----- > From: "The IESG" > To: ; > Sent: Sunday, November 30, 2003 4:30 PM > Subject: ID Tracker State Update Notice: draft-ietf-send-psreq > > > > 'State Changes to IESG Evaluation from IESG > Evaluation::Revised ID Needed > by Margaret Wasserman' > > ID Tracker URL: > https://datatracker.ietf.org/public/pidtracker.cgi?command=vie > w_id&dTag=9439&rfc_flag=0 > > > > > > > > -------------------------------------------------------------------- > To unsubscribe from this list, send email with "UNSUBSCRIBE" in the > body to . > Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html > -------------------------------------------------------------------- > -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Wed Dec 3 10:12:57 2003 Received: from albatross-ext.wise.edt.ericsson.se (albatross-ext.wise.edt.ericsson.se [193.180.251.49]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA18806 for ; Wed, 3 Dec 2003 10:12:56 -0500 (EST) Received: from esealnt613.al.sw.ericsson.se ([153.88.254.125]) by albatross-ext.wise.edt.ericsson.se (8.12.10/8.12.10/WIREfire-1.8) with ESMTP id hB3F7DI2007059; Wed, 3 Dec 2003 16:07:13 +0100 (MET) Received: from fnatte.sw.ericsson.se ([153.88.242.8]) by esealnt613.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id XW7R0KSS; Wed, 3 Dec 2003 16:07:13 +0100 Received: from sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by fnatte.sw.ericsson.se (8.12.10/8.12.10) with ESMTP id hB3F78wg006822; Wed, 3 Dec 2003 16:07:09 +0100 (MET) Received: from prdxweb.sw.ericsson.se (localhost [127.0.0.1]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hB3F3XIt014224; Wed, 3 Dec 2003 16:03:33 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.12.10/8.12.10/Submit) id hB3F3X8V014223; Wed, 3 Dec 2003 16:03:33 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from fep21-app.kolumbus.fi (fep21-0.kolumbus.fi [193.229.0.48]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hB3F3WIt014219 for ; Wed, 3 Dec 2003 16:03:32 +0100 (MET) Received: from kolumbus.fi ([62.248.150.240]) by fep21-app.kolumbus.fi with ESMTP id <20031203150331.WSVJ13518.fep21-app.kolumbus.fi@kolumbus.fi>; Wed, 3 Dec 2003 17:03:31 +0200 Message-ID: <3FCC8A6B.7010704@kolumbus.fi> Date: Tue, 02 Dec 2003 14:49:47 +0200 From: Jari Arkko User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20031007 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Julien Laganier , Samita Chakrabarti , Pekka Nikander CC: SEND WG Subject: Re: An API question from Samita References: <3FBB5330.3020904@ericsson.com> <200311211445.50302.julien.laganier@laposte.net> In-Reply-To: <200311211445.50302.julien.laganier@laposte.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit Julien Laganier wrote: > On Wednesday 19 November 2003 12:25, Pekka Nikander wrote: > >>Following the discussion last week at Minneapolis, >>Samita Chakrabarti wants to ask the working group >>the following question: >> >> draft-chakrabarti-ipv6-addrselect-api-02.txt already has a mechanism >> to choose CGA and NON-CGA source addresses by the application using >> socket api. The SEND wg needs to decide whether such API is needed >> for applications running on a SEND-node. Please send the decision on >> this to the IPv6 wg alias - based on that we will update the address >> selection API draft (which actually goes along with RFC3484). >> >>Please send your replies to the mailing list. The chairs >>will summarize and post the summary also to the ipv6 mailing >>list. I think it would be useful to have such an API. And then Julien Laganier wrote: > OTOH, there's nod doubt that the same effect (avoid CGA signature and > validation) can be achieved through a future dedicated API. But as the source > address selection API draft is almost ready, mentions CGA without creating > apparent conflicts, I think it's worth keeping CGA in it. Yes. I also looked at Samita's document and the CGA parts seem Ok. --Jari -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Thu Dec 4 03:52:01 2003 Received: from albatross-ext.wise.edt.ericsson.se (albatross-ext.wise.edt.ericsson.se [193.180.251.49]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id DAA16468 for ; Thu, 4 Dec 2003 03:52:01 -0500 (EST) Received: from esealnt613.al.sw.ericsson.se ([153.88.254.125]) by albatross-ext.wise.edt.ericsson.se (8.12.10/8.12.10/WIREfire-1.8) with ESMTP id hB48ngI2023261; Thu, 4 Dec 2003 09:49:42 +0100 (MET) Received: from tjatte.sw.ericsson.se ([153.88.242.9]) by esealnt613.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id XW7SKN4A; Thu, 4 Dec 2003 09:49:38 +0100 Received: from sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by tjatte.sw.ericsson.se (8.12.10/8.12.10) with ESMTP id hB48nCXA017774; Thu, 4 Dec 2003 09:49:12 +0100 (MET) Received: from prdxweb.sw.ericsson.se (localhost [127.0.0.1]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hB48enIt017321; Thu, 4 Dec 2003 09:40:49 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.12.10/8.12.10/Submit) id hB48encM017320; Thu, 4 Dec 2003 09:40:49 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from fep21-app.kolumbus.fi (fep21-0.kolumbus.fi [193.229.0.48]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hB48eYIt017226 for ; Thu, 4 Dec 2003 09:40:39 +0100 (MET) Received: from mta.imail.kolumbus.fi ([193.229.5.110]) by fep21-app.kolumbus.fi with ESMTP id <20031204084009.KRCA13518.fep21-app.kolumbus.fi@mta.imail.kolumbus.fi>; Thu, 4 Dec 2003 10:40:09 +0200 X-Mailer: Openwave WebEngine, version 2.8.10 (webedge20-101-191-20030113) From: To: CC: Subject: Re: An API question from Samita Date: Thu, 4 Dec 2003 10:40:09 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-Id: <20031204084009.KRCA13518.fep21-app.kolumbus.fi@mta.imail.kolumbus.fi> Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit (Originally bounced, I'm resending it to the list --Jari) >>>Please send your replies to the mailing list. The chairs >>>> >>will summarize and post the summary also to the ipv6 mailing >>>> >>list. > >> >> I think it would be useful to have such an API. >> >> And then Julien Laganier wrote: >> > >>> > OTOH, there's nod doubt that the same effect (avoid CGA signature and >>> > validation) can be achieved through a future dedicated API. But as the source >>> > address selection API draft is almost ready, mentions CGA without creating >>> > apparent conflicts, I think it's worth keeping CGA in it. > >> >> Yes. >> >> I also looked at Samita's document and the CGA parts >> seem Ok. >> Thanks for checking the API doc for CGA part. I assume that the SEND doc will have CGA node default behavior documented, then we can refer the SEND document from this API doc. -Samita -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Thu Dec 4 13:03:55 2003 Received: from albatross-ext.wise.edt.ericsson.se (albatross-ext.wise.edt.ericsson.se [193.180.251.49]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA06699 for ; Thu, 4 Dec 2003 13:03:54 -0500 (EST) Received: from esealnt610.al.sw.ericsson.se ([153.88.254.120]) by albatross-ext.wise.edt.ericsson.se (8.12.10/8.12.10/WIREfire-1.8) with ESMTP id hB4HwpI2016569; Thu, 4 Dec 2003 18:58:52 +0100 (MET) Received: from fnatte.sw.ericsson.se ([153.88.242.8]) by esealnt610.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id XW6YC55V; Thu, 4 Dec 2003 18:59:18 +0100 Received: from sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by fnatte.sw.ericsson.se (8.12.10/8.12.10) with ESMTP id hB4Hwawg002069; Thu, 4 Dec 2003 18:58:36 +0100 (MET) Received: from prdxweb.sw.ericsson.se (localhost [127.0.0.1]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hB4HuLIt028527; Thu, 4 Dec 2003 18:56:21 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.12.10/8.12.10/Submit) id hB4HuLlQ028526; Thu, 4 Dec 2003 18:56:21 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from n97.nomadiclab.com (teldanex.hiit.fi [212.68.5.99]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hB4HuKIt028522 for ; Thu, 4 Dec 2003 18:56:20 +0100 (MET) Received: from [IPv6:::1] (polle.local.nikander.com [192.168.0.193]) by n97.nomadiclab.com (Postfix) with ESMTP id 46FF31C; Thu, 4 Dec 2003 20:09:22 +0200 (EET) In-Reply-To: References: Mime-Version: 1.0 (Apple Message framework v606) Content-Type: multipart/mixed; boundary=Apple-Mail-4--88420430 Message-Id: <282AE864-2683-11D8-8F28-000393CE1E8C@ericsson.com> Cc: James Kempf , Thomas Narten , ietf-send@standards.ericsson.net From: Pekka Nikander Subject: IETF-58 SEND WG Summary Date: Thu, 4 Dec 2003 19:56:16 +0200 To: Margaret.Wasserman@nokia.com X-Mailer: Apple Mail (2.606) Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk --Apple-Mail-4--88420430 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit On Nov 24, 2003, at 21:33, Margaret.Wasserman@nokia.com wrote: > After the Vienna IETF, we asked all of the Internet Area WG chairs > to produce a summary of their WGs, using the template below. We > found these summaries very helpful in understanding the status of > each WG, and we'd like you to produce similar summaries for the > Minneapolis IETF meeting. Please find enclosed summary of the SEND WG meeting at Minneapolis. Please send any corrections to the list (and to me); I'll include them when I submit the minutes for the proceedings. --Pekka Nikander --Apple-Mail-4--88420430 Content-Type: text/plain; x-unix-mode=0644; name="ietf58_send_summary.txt" Content-Disposition: attachment; filename=ietf58_send_summary.txt Content-Transfer-Encoding: 7bit Summary of the SEND WG Meeting at IETF58, Minneapolis, Minnesota Tuesday November 11, 1300-1400 Decisions --------- 1. Probably last face-to-face WG meeting. Submit drafts to the IESG, keep the mailing list running at least until the drafts have passed the IESG review. Open action item from previous meeting ---------------------------------------- AP1. Re-charter Status at IETF-58: Open Later decision: Will be skipped since the WG is closing anyway. AP8. WG LC on draft-ietf-send-ndopts Status: Delayed. New target date: December New Action items ---------------- AP9. Advance draft-ietf-send-psreq at the IESG. Owner: James Kempf Target date: November Status today: Document scheduled for IESG meeting. AP10. Submit draft-ietf-send-cga to IESG. Owner: Pekka Nikander Target date: November Status today: Will be submitted any day now. AP11. Clarify measurements from implementation report Owner: James Kempf Target date: November Status today: Clarified, sent to mailing list. AP12. Discuss CGA address selection at mailing list. Owner: Pekka Nikander Target date: December Status today: Discussion ongoing AP13. Cover different functions of Redirect. Owner: Jari Arkko Target date: December Status today: Open AP14. Add text on unsolicited ND. Owner: Jari Arkko Target date: December Status today: Open AP15. Remove redundat text from draft-ietf-send-ndopts. Owner: Jari Arkko Target date: December Status today: Being worked on AP16. WG last call & review on draft-ietf-send-ndopts Owner: Chairs Target date: December Status today: Pending on AP13-AP15. Review of open milestones ------------------------- Dec 03 Submit draft-ietf-send-cga-xx.txt to IESG for approval. - will be completed any day now Dec 03 Submitdraft-ietf-send-ipsec-xx.txt to IESG for approval. - may be delayed until January Charter review -------------- Decision not to recharter, since only a technical issue. --Apple-Mail-4--88420430 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit --Apple-Mail-4--88420430-- -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Mon Dec 8 07:27:02 2003 Received: from albatross-ext.wise.edt.ericsson.se (albatross-ext.wise.edt.ericsson.se [193.180.251.49]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA07539 for ; Mon, 8 Dec 2003 07:27:01 -0500 (EST) Received: from esealnt610.al.sw.ericsson.se ([153.88.254.120]) by albatross-ext.wise.edt.ericsson.se (8.12.10/8.12.10/WIREfire-1.8) with ESMTP id hB8CKqI2009015; Mon, 8 Dec 2003 13:20:52 +0100 (MET) Received: from fnatte.sw.ericsson.se ([153.88.242.8]) by esealnt610.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id XW6Y0A9M; Mon, 8 Dec 2003 13:21:34 +0100 Received: from sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by fnatte.sw.ericsson.se (8.12.10/8.12.10) with ESMTP id hB8CKmwg021771; Mon, 8 Dec 2003 13:20:48 +0100 (MET) Received: from prdxweb.sw.ericsson.se (localhost [127.0.0.1]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hB8C8lIt004936; Mon, 8 Dec 2003 13:08:47 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.12.10/8.12.10/Submit) id hB8C8lWV004924; Mon, 8 Dec 2003 13:08:47 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from n97.nomadiclab.com (teldanex.hiit.fi [212.68.5.99]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hB8C8aIt004862 for ; Mon, 8 Dec 2003 13:08:46 +0100 (MET) Received: from [IPv6:::1] (teldanex.local.nikander.com [192.168.0.194]) by n97.nomadiclab.com (Postfix) with ESMTP id 3D61F1C for ; Mon, 8 Dec 2003 14:21:23 +0200 (EET) Mime-Version: 1.0 (Apple Message framework v606) Content-Transfer-Encoding: 7bit Message-Id: <36911B77-2977-11D8-A783-000393CE1E8C@ericsson.com> Content-Type: text/plain; charset=US-ASCII; format=flowed To: ietf-send@standards.ericsson.net From: Pekka Nikander Subject: Preliminary minutes for the Minneapolis meeting Date: Mon, 8 Dec 2003 14:08:20 +0200 X-Mailer: Apple Mail (2.606) Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit A preliminary version of the Minneapolis meeting minutes are now available at http://www.tml.hut.fi/~pnr/SEND/ietf58_send_minutes.html Please send any comments or corrections before or on Dec 14th. I will send the minutes to the proceedings on Dec 15th. --Pekka Nikander -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Tue Dec 9 08:03:39 2003 Received: from albatross-ext.wise.edt.ericsson.se (albatross-ext.wise.edt.ericsson.se [193.180.251.49]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA24622 for ; Tue, 9 Dec 2003 08:03:39 -0500 (EST) Received: from esealnt611.al.sw.ericsson.se ([153.88.254.121]) by albatross-ext.wise.edt.ericsson.se (8.12.10/8.12.10/WIREfire-1.8) with ESMTP id hB9D18I2023900; Tue, 9 Dec 2003 14:01:08 +0100 (MET) Received: from fnatte.sw.ericsson.se ([153.88.242.8]) by esealnt611.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id XW9BWDVF; Tue, 9 Dec 2003 14:01:52 +0100 Received: from sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by fnatte.sw.ericsson.se (8.12.10/8.12.10) with ESMTP id hB9D0xwg024184; Tue, 9 Dec 2003 14:00:59 +0100 (MET) Received: from prdxweb.sw.ericsson.se (localhost [127.0.0.1]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hB9CvGIt008907; Tue, 9 Dec 2003 13:57:16 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.12.10/8.12.10/Submit) id hB9CvGPU008906; Tue, 9 Dec 2003 13:57:16 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from fep21-app.kolumbus.fi (fep21-0.kolumbus.fi [193.229.0.48]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hB9CvFIt008902 for ; Tue, 9 Dec 2003 13:57:15 +0100 (MET) Received: from mta.imail.kolumbus.fi ([193.229.5.108]) by fep21-app.kolumbus.fi with ESMTP id <20031209125715.NAMP27281.fep21-app.kolumbus.fi@mta.imail.kolumbus.fi>; Tue, 9 Dec 2003 14:57:15 +0200 X-Mailer: Openwave WebEngine, version 2.8.10 (webedge20-101-191-20030113) From: To: CC: Subject: issue 36: modifier length Date: Tue, 9 Dec 2003 14:57:15 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-Id: <20031209125715.NAMP27281.fep21-app.kolumbus.fi@mta.imail.kolumbus.fi> Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit Pasi Eronen wrote: > Section 5.2: The Modifier field is 16 bits (2 octets), but > in draft-ietf-send-cga-02, the modifier is 16 octets (128 bits)? I have now aligned the ND options draft to be use the same length as the CGA draft uses i.e. 128 bits. The new CGA option format is: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Collision Cnt | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Modifier | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | . . . Key Information . . . | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | . . . Padding . . . | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Tue Dec 9 08:23:02 2003 Received: from penguin-ext.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [193.180.251.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA25072 for ; Tue, 9 Dec 2003 08:22:57 -0500 (EST) Received: from esealnt611.al.sw.ericsson.se ([153.88.254.121]) by penguin-ext.wise.edt.ericsson.se (8.12.10/8.12.10/WIREfire-1.8) with ESMTP id hB9DKbSs015544; Tue, 9 Dec 2003 14:20:37 +0100 (MET) Received: from tjatte.sw.ericsson.se ([153.88.242.9]) by esealnt611.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id XW9BWLGD; Tue, 9 Dec 2003 14:21:21 +0100 Received: from sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by tjatte.sw.ericsson.se (8.12.10/8.12.10) with ESMTP id hB9DKaXA014449; Tue, 9 Dec 2003 14:20:36 +0100 (MET) Received: from prdxweb.sw.ericsson.se (localhost [127.0.0.1]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hB9DH1It014255; Tue, 9 Dec 2003 14:17:01 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.12.10/8.12.10/Submit) id hB9DH1qb014254; Tue, 9 Dec 2003 14:17:01 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from fep21-app.kolumbus.fi (fep21-0.kolumbus.fi [193.229.0.48]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hB9DH0It014248 for ; Tue, 9 Dec 2003 14:17:00 +0100 (MET) Received: from mta.imail.kolumbus.fi ([193.229.5.108]) by fep21-app.kolumbus.fi with ESMTP id <20031209131700.NIQY27281.fep21-app.kolumbus.fi@mta.imail.kolumbus.fi>; Tue, 9 Dec 2003 15:17:00 +0200 X-Mailer: Openwave WebEngine, version 2.8.10 (webedge20-101-191-20030113) From: To: CC: Subject: issue 37: RS and trust anchors Date: Tue, 9 Dec 2003 15:17:00 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-Id: <20031209131700.NIQY27281.fep21-app.kolumbus.fi@mta.imail.kolumbus.fi> Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit Pasi Eronen wrote: > Section 8.1.2: the last paragraph should be probably deleted, > because I guess we don't usually use trust anchor authorization for > router _solicitations_? Right. Done. But I have question related to Sections 7 (ND) and 8 (RD), and the overall simplification of the document. Would it be better if the this-message-must-have-these-options discussion was a part of Section 5 (new options)? I believe this would reduce the overlap that currently exists in the document. The drawback would be that you'd have to search for, say, RA specific rules from Section instead of having them grouped in Section 8. --Jari -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Tue Dec 9 08:42:08 2003 Received: from penguin-ext.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [193.180.251.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA25512 for ; Tue, 9 Dec 2003 08:42:07 -0500 (EST) Received: from esealnt612.al.sw.ericsson.se ([153.88.254.118]) by penguin-ext.wise.edt.ericsson.se (8.12.10/8.12.10/WIREfire-1.8) with ESMTP id hB9DeeSs022065; Tue, 9 Dec 2003 14:40:40 +0100 (MET) Received: from tjatte.sw.ericsson.se ([153.88.242.9]) by esealnt612.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id XW62M9SG; Tue, 9 Dec 2003 14:40:40 +0100 Received: from sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by tjatte.sw.ericsson.se (8.12.10/8.12.10) with ESMTP id hB9DedXA014749; Tue, 9 Dec 2003 14:40:39 +0100 (MET) Received: from prdxweb.sw.ericsson.se (localhost [127.0.0.1]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hB9DbNIt018570; Tue, 9 Dec 2003 14:37:23 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.12.10/8.12.10/Submit) id hB9DbN2g018569; Tue, 9 Dec 2003 14:37:23 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from fep21-app.kolumbus.fi (fep21-0.kolumbus.fi [193.229.0.48]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hB9DbMIt018565 for ; Tue, 9 Dec 2003 14:37:22 +0100 (MET) Received: from mta.imail.kolumbus.fi ([193.229.5.108]) by fep21-app.kolumbus.fi with ESMTP id <20031209133722.NRVH27281.fep21-app.kolumbus.fi@mta.imail.kolumbus.fi>; Tue, 9 Dec 2003 15:37:22 +0200 X-Mailer: Openwave WebEngine, version 2.8.10 (webedge20-101-191-20030113) From: To: Subject: issue page & diffs Date: Tue, 9 Dec 2003 15:37:22 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-Id: <20031209133722.NRVH27281.fep21-app.kolumbus.fi@mta.imail.kolumbus.fi> Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit This is an unsolicited announcement about the URLs for the issue page and the most recent ND options draft. I have also adopted some new procedures that may be of interest. All issues for the draft are listed on the issue page [1]. Most recent editor's version is at [2] and [3]. The diffs to -00 are in [4]. I have also adopted a new procedure which allows me to publish issue specific diff files. To see an example, click one of the "diffs" buttons on the issue page. My tool support for this approach works automatically when the modifications for different issues are not not done in parallel. I.e. I'd like to finish one issue and go to the next one -- this is an experiment, we'll see how it goes. Feedback appreciated during the process. If your issue has been marked as "Solved", it would probably be a good idea for you to check that you like the results. --Jari [1] http://www.arkko.com/publications/send/issues/ [2] http://www.arkko.com/publications/send/drafts/draft-send-ndopt.txt [3] http://www.arkko.com/publications/send/drafts/draft-send-ndopt.html [4] http://www.arkko.com/publications/send/drafts/draft-send-ndoptdiff.html -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Tue Dec 9 09:19:57 2003 Received: from penguin-ext.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [193.180.251.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA26627 for ; Tue, 9 Dec 2003 09:19:56 -0500 (EST) Received: from esealnt611.al.sw.ericsson.se ([153.88.254.121]) by penguin-ext.wise.edt.ericsson.se (8.12.10/8.12.10/WIREfire-1.8) with ESMTP id hB9EHlSs003899; Tue, 9 Dec 2003 15:17:48 +0100 (MET) Received: from fnatte.sw.ericsson.se ([153.88.242.8]) by esealnt611.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id XW9BXDX0; Tue, 9 Dec 2003 15:18:31 +0100 Received: from sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by fnatte.sw.ericsson.se (8.12.10/8.12.10) with ESMTP id hB9EHYwg028317; Tue, 9 Dec 2003 15:17:34 +0100 (MET) Received: from prdxweb.sw.ericsson.se (localhost [127.0.0.1]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hB9EEGIt026634; Tue, 9 Dec 2003 15:14:16 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.12.10/8.12.10/Submit) id hB9EEGAD026632; Tue, 9 Dec 2003 15:14:16 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from fep21-app.kolumbus.fi (fep21-0.kolumbus.fi [193.229.0.48]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hB9EEEIt026626 for ; Tue, 9 Dec 2003 15:14:14 +0100 (MET) Received: from mta.imail.kolumbus.fi ([193.229.5.108]) by fep21-app.kolumbus.fi with ESMTP id <20031209141414.OHWV27281.fep21-app.kolumbus.fi@mta.imail.kolumbus.fi>; Tue, 9 Dec 2003 16:14:14 +0200 X-Mailer: Openwave WebEngine, version 2.8.10 (webedge20-101-191-20030113) From: To: CC: Subject: issue 39 -- CA cert part of the chain? Date: Tue, 9 Dec 2003 16:14:14 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-Id: <20031209141414.OHWV27281.fep21-app.kolumbus.fi@mta.imail.kolumbus.fi> Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit Pasi Eronen wrote: > Section 6.5.1: It's not 100% clear whether the certificate > chain sent should also contain the CA certificate (in most > protocols, it's not sent since the client is assumed to have > it already). I agree that CA cert should not be a part of the chain. And I also agree that the current text does not specify this. How about this correction: http://www.arkko.com/publications/send/issues/issue39diff.html --Jari -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Tue Dec 9 10:06:29 2003 Received: from penguin-ext.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [193.180.251.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA28325 for ; Tue, 9 Dec 2003 10:06:29 -0500 (EST) Received: from esealnt610.al.sw.ericsson.se ([153.88.254.120]) by penguin-ext.wise.edt.ericsson.se (8.12.10/8.12.10/WIREfire-1.8) with ESMTP id hB9F1kSs018531; Tue, 9 Dec 2003 16:01:46 +0100 (MET) Received: from tjatte.sw.ericsson.se ([153.88.242.9]) by esealnt610.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id XW6ZKJM7; Tue, 9 Dec 2003 16:02:32 +0100 Received: from sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by tjatte.sw.ericsson.se (8.12.10/8.12.10) with ESMTP id hB9F1eXA017403; Tue, 9 Dec 2003 16:01:40 +0100 (MET) Received: from prdxweb.sw.ericsson.se (localhost [127.0.0.1]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hB9EwPIt006927; Tue, 9 Dec 2003 15:58:25 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.12.10/8.12.10/Submit) id hB9EwPgg006926; Tue, 9 Dec 2003 15:58:25 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from fep21-app.kolumbus.fi (fep21-0.kolumbus.fi [193.229.0.48]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hB9EwOIt006919 for ; Tue, 9 Dec 2003 15:58:24 +0100 (MET) Received: from mta.imail.kolumbus.fi ([193.229.5.108]) by fep21-app.kolumbus.fi with ESMTP id <20031209145824.OXEM27281.fep21-app.kolumbus.fi@mta.imail.kolumbus.fi>; Tue, 9 Dec 2003 16:58:24 +0200 X-Mailer: Openwave WebEngine, version 2.8.10 (webedge20-101-191-20030113) From: To: CC: Subject: issue 40 -- option ordering Date: Tue, 9 Dec 2003 16:58:24 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-Id: <20031209145824.OXEM27281.fep21-app.kolumbus.fi@mta.imail.kolumbus.fi> Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit > Section 5.1 seems to suggest that other options than CGA, Nonce, > or Timestamp could be placed after the Signature option; however, > Section 5.3.1 says the Signature option MUST be the last option. > Perhaps 5.1 should be clarified? Yes. Looking at Section 5.1: > The CGA option MUST appear before the Signature option. This requirement is redundant, as the Signature is last in any case. > The Nonce option SHOULD appear before the Timestamp option. At first I thought this was a reasonable requirement. However, looking at it in more detail, I'm not so sure anymore. Both options are relatively simple to process, or at least the CPU usage for them is not a DoS issue. So why require anything? And why require anything with a SHOULD, since the receiver would have to have code to handle the general case anyway? > The Signature option MUST NOT be be followed CGA, Nonce, or > Timestamp options. Yet another case of redundancy in the draft. > It is RECOMMENDED that the options appear in the following order: > CGA, Nonce, Timestamp, Signature. More redundancy... My conclusion is that Section 5.1 is unnecessary and should be removed. Comments? --Jari -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Tue Dec 9 10:31:01 2003 Received: from albatross-ext.wise.edt.ericsson.se (albatross-ext.wise.edt.ericsson.se [193.180.251.49]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA00283 for ; Tue, 9 Dec 2003 10:31:01 -0500 (EST) Received: from esealnt613.al.sw.ericsson.se ([153.88.254.125]) by albatross-ext.wise.edt.ericsson.se (8.12.10/8.12.10/WIREfire-1.8) with ESMTP id hB9FSZI2016285; Tue, 9 Dec 2003 16:28:35 +0100 (MET) Received: from tjatte.sw.ericsson.se ([153.88.242.9]) by esealnt613.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id XW74TSTY; Tue, 9 Dec 2003 16:28:35 +0100 Received: from sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by tjatte.sw.ericsson.se (8.12.10/8.12.10) with ESMTP id hB9FSYXA017899; Tue, 9 Dec 2003 16:28:34 +0100 (MET) Received: from prdxweb.sw.ericsson.se (localhost [127.0.0.1]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hB9FP6It013520; Tue, 9 Dec 2003 16:25:06 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.12.10/8.12.10/Submit) id hB9FP6BP013519; Tue, 9 Dec 2003 16:25:06 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from fep21-app.kolumbus.fi (fep21-0.kolumbus.fi [193.229.0.48]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hB9FP4It013515 for ; Tue, 9 Dec 2003 16:25:04 +0100 (MET) Received: from mta.imail.kolumbus.fi ([193.229.5.108]) by fep21-app.kolumbus.fi with ESMTP id <20031209152504.PDXD27281.fep21-app.kolumbus.fi@mta.imail.kolumbus.fi>; Tue, 9 Dec 2003 17:25:04 +0200 X-Mailer: Openwave WebEngine, version 2.8.10 (webedge20-101-191-20030113) From: To: CC: Subject: issue 41 - delegating authority= IANA or ISP? Date: Tue, 9 Dec 2003 17:25:04 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-Id: <20031209152504.PDXD27281.fep21-app.kolumbus.fi@mta.imail.kolumbus.fi> Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit Pasi Eronen wrote: > Section 6.5.1: "The parent certificates in the certificate chain > MUST contain one or more X.509 IP address extensions, back up to > the delegating authority (the Regional Address Registry or IANA) > that delegated the original IP address space block." I think > it's much more likely that the trust anchor is something below, > like ISP or company IT administrator. I agree with you Pasi on this. I believe the current text assumes a perfect address ownership model for router's addresses. That is, the authorization should act as a guarantee that the router really has the addresses it is supposed to have, all the way to the way up to IANA. I think it would be difficult to achieve, though maybe that happens in the future. I certainly hope so. But for now, I believe what we can achieve is a weaker guarantee: that the addresses are right as far as the organization that we trust is concerned -- not necessarily globally right. Lets say I work for evil-network-mgmt.com. If their CA says that they own prefix P and it is for router R, then I trust that. Even if prefix P was perhaps stolen from poor-victim.com without consulting the RIRs or the IANA ;-) Suggested text change: The parent certificates in the certificate chain MUST contain one or more X.509 IP address extensions, back up to a trusted party (such as the user's ISP) that configured the original IP address space block for the router in question. --Jari -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Wed Dec 10 08:17:30 2003 Received: from albatross-ext.wise.edt.ericsson.se (albatross-ext.wise.edt.ericsson.se [193.180.251.49]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA10895 for ; Wed, 10 Dec 2003 08:17:29 -0500 (EST) Received: from esealnt613.al.sw.ericsson.se ([153.88.254.125]) by albatross-ext.wise.edt.ericsson.se (8.12.10/8.12.10/WIREfire-1.8) with ESMTP id hBADDcI2021408; Wed, 10 Dec 2003 14:13:42 +0100 (MET) Received: from tjatte.sw.ericsson.se ([153.88.242.9]) by esealnt613.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id XW7VBZX8; Wed, 10 Dec 2003 14:13:38 +0100 Received: from sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by tjatte.sw.ericsson.se (8.12.10/8.12.10) with ESMTP id hBADDYXA008303; Wed, 10 Dec 2003 14:13:34 +0100 (MET) Received: from prdxweb.sw.ericsson.se (localhost [127.0.0.1]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hBAD7rIt026464; Wed, 10 Dec 2003 14:07:53 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.12.10/8.12.10/Submit) id hBAD7r7u026463; Wed, 10 Dec 2003 14:07:53 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from fep20-app.kolumbus.fi (fep20-0.kolumbus.fi [193.229.0.47]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hBAD7qIt026452 for ; Wed, 10 Dec 2003 14:07:52 +0100 (MET) Received: from mta.imail.kolumbus.fi ([193.229.5.114]) by fep20-app.kolumbus.fi with ESMTP id <20031210130751.SEOD15980.fep20-app.kolumbus.fi@mta.imail.kolumbus.fi>; Wed, 10 Dec 2003 15:07:51 +0200 X-Mailer: Openwave WebEngine, version 2.8.10 (webedge20-101-191-20030113) From: To: Francis Dupont CC: Subject: issue 17: functions of redirect Date: Wed, 10 Dec 2003 15:07:51 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-Id: <20031210130751.SEOD15980.fep20-app.kolumbus.fi@mta.imail.kolumbus.fi> Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit I have reviewed this issue, and read the relevant parts of RFC 2461. This RFC does indeed contain one of Francis' functions i.e. specification of a link-layer address for an on-link destination which has not been advertised as an on-link prefix is: Redirect messages are sent by routers to redirect a host to a better first-hop router ... or to inform hosts that a destination is in fact a neighbor (i.e., on-link). For the other function, the update of a link-layer address by the node itelf: The RFC prohibits hosts from sending Redirects: A host MUST silently discard any received Redirect message that does not satisfy all of the following validity checks: ... - The IP source address of the Redirect is the same as the current first-hop router for the specified ICMP Destination Address. ... But I think Francis meant that Neighbor Advertisements should be used for this purpose. So what text modifications are necessary? Here's my proposal: Change o The Redirect function is used for automatically redirecting hosts to an alternate router. Redirect is specified in Section 8 of RFC 2461 [7]. It is similar to the ICMPv4 Redirect function [15]. => o The Redirect function is used for automatically redirecting a host to a better first-hop router, or to inform hosts that a destination is in fact a neighbor (i.e., on-link). Redirect is specified in Section 8 of RFC 2461 [7]. It is similar to the ICMPv4 Redirect function [15]. This text has already disappeared through other modifications: o Redirect: This message is always sent from the router's link-local address to the source address of the packet that triggered the Redirect. Hosts verify that the IP source address of the Redirect is the same as the current first-hop router for the specified ICMP Destination Address. Rules in [1] dictate that unspecified, anycast, or multicast addresses may not be used as source addresses. Therefore, the destination address will always be a unicast address. This text has already been changed as well: The receiver MUST verify that the Redirect message comes from an IP address to which the host may have earlier sent the packet that the Redirect message now partially returns. That is, the source address of the Redirect message must be the default router or the on-link destination host for traffic sent to the destination of the returned packet. If this is not the case, the message MUST be silently discarded. This step prevents a bogus router from sending a Redirect message when the host is not using the bogus router as a default router. => Note that RFC 2461 rules already prevent a bogus router from sending a Redirect message when the host is not using the bogus router as a default router. I think this would cover all that we need to do. Comments? --Jari -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Tue Dec 16 08:25:08 2003 Received: from albatross-ext.wise.edt.ericsson.se (albatross-ext.wise.edt.ericsson.se [193.180.251.49]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA14592 for ; Tue, 16 Dec 2003 08:25:08 -0500 (EST) Received: from esealnt611.al.sw.ericsson.se ([153.88.254.121]) by albatross-ext.wise.edt.ericsson.se (8.12.10/8.12.10/WIREfire-1.8) with ESMTP id hBGDJcI2007103; Tue, 16 Dec 2003 14:19:38 +0100 (MET) Received: from fnatte.sw.ericsson.se ([153.88.242.8]) by esealnt611.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id ZAJV0WMV; Tue, 16 Dec 2003 14:20:37 +0100 Received: from sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by fnatte.sw.ericsson.se (8.12.10/8.12.10) with ESMTP id hBGDJJwg011795; Tue, 16 Dec 2003 14:19:19 +0100 (MET) Received: from prdxweb.sw.ericsson.se (localhost [127.0.0.1]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hBGDBKIt008859; Tue, 16 Dec 2003 14:11:20 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.12.10/8.12.10/Submit) id hBGDBJ3a008858; Tue, 16 Dec 2003 14:11:19 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from fep20-app.kolumbus.fi (fep20-0.kolumbus.fi [193.229.0.47]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hBGDBIIt008841 for ; Tue, 16 Dec 2003 14:11:18 +0100 (MET) Received: from mta.imail.kolumbus.fi ([193.229.5.108]) by fep20-app.kolumbus.fi with ESMTP id <20031216131118.FEUM15980.fep20-app.kolumbus.fi@mta.imail.kolumbus.fi> for ; Tue, 16 Dec 2003 15:11:18 +0200 X-Mailer: Openwave WebEngine, version 2.8.10 (webedge20-101-191-20030113) From: To: Subject: issue 28 -- DCS source address Date: Tue, 16 Dec 2003 15:11:17 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-Id: <20031216131118.FEUM15980.fep20-app.kolumbus.fi@mta.imail.kolumbus.fi> Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit This issue is about the type of the source address in a DCS message. There has not been that much discussion on this issue, but I think the feeling was that we should restrict the addresses to be link-local. At the same time, I tried to make the keyword rules for the different DCS & DCA fields consistent. Right now (a leftover from 2461) some of the fields contain a keyword while others do not. I think it is better to not include a keyword if the definition of a field is just , e.g., a value assigned by IANA for ICMPv6 type, 0 for Code, or an address of some sort for the source field. I have also checked the current draft with regards to issue 21, which had to do with the source address of the DCA message. It seems that the resolution of that issue did not get reflected in the draft, so I am changing that as well. Finally, I edited the behaviour rules to not repeat the format rules. The changes can be seen in: http://www.arkko.com/publications/send/issues/issue28diff.html --Jari -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Tue Dec 16 18:08:23 2003 Received: from penguin-ext.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [193.180.251.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA12882 for ; Tue, 16 Dec 2003 18:08:23 -0500 (EST) Received: from esealnt613.al.sw.ericsson.se ([153.88.254.125]) by penguin-ext.wise.edt.ericsson.se (8.12.10/8.12.10/WIREfire-1.8) with ESMTP id hBGN4mSs010664; Wed, 17 Dec 2003 00:04:53 +0100 (MET) Received: from tjatte.sw.ericsson.se ([153.88.242.9]) by esealnt613.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id ZAWJT8HA; Wed, 17 Dec 2003 00:04:48 +0100 Received: from sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by tjatte.sw.ericsson.se (8.12.10/8.12.10) with ESMTP id hBGN4lXA012279; Wed, 17 Dec 2003 00:04:47 +0100 (MET) Received: from prdxweb.sw.ericsson.se (localhost [127.0.0.1]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hBGN1LIt027072; Wed, 17 Dec 2003 00:01:21 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.12.10/8.12.10/Submit) id hBGN1Kcf027071; Wed, 17 Dec 2003 00:01:20 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from ALPHA1.ITS.MONASH.EDU.AU (alpha1.its.monash.edu.au [130.194.1.1]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hBGN1IIt027067 for ; Wed, 17 Dec 2003 00:01:19 +0100 (MET) Received: from localhost ([130.194.13.83]) by vaxc.its.monash.edu.au (PMDF V6.1 #39306) with ESMTP id <01L4AR9S2TGC8ZXDUS@vaxc.its.monash.edu.au> for ietf-send@standards.ericsson.net; Wed, 17 Dec 2003 10:01:09 +1100 Received: from splat.its.monash.edu.au (localhost.its.monash.edu.au [127.0.0.1]) by localhost (Postfix) with ESMTP id 72D8623C006; Wed, 17 Dec 2003 10:01:08 +1100 (EST) Received: from eng.monash.edu.au (knuth.eng.monash.edu.au [130.194.252.110]) by splat.its.monash.edu.au (Postfix) with ESMTP id 618A5164004; Wed, 17 Dec 2003 10:01:08 +1100 (EST) Date: Wed, 17 Dec 2003 10:01:08 +1100 From: Greg Daley Subject: Re: issue 28 -- DCS source address To: jari.arkko@kolumbus.fi Cc: ietf-send@standards.ericsson.net Reply-to: greg.daley@eng.monash.edu.au Message-id: <3FDF8EB4.8060701@eng.monash.edu.au> Organization: Monash University MIME-version: 1.0 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT X-Accept-Language: en, en-us User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020529 References: <20031216131118.FEUM15980.fep20-app.kolumbus.fi@mta.imail.kolumbus.fi> Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7BIT Hi Jari, jari.arkko@kolumbus.fi wrote: > This issue is about the type of the source address in a > DCS message. There has not been that much discussion on this issue, > but I think the feeling was that we should restrict the addresses to > be link-local. > > At the same time, I tried to make the keyword rules for the different > DCS & DCA fields consistent. Right now (a leftover from 2461) some of > the fields contain a keyword while others do not. I think it is better > to not include a keyword if the definition of a field is just value>, e.g., a value assigned by IANA for ICMPv6 type, 0 for Code, or > an address of some sort for the source field. > > I have also checked the current draft with regards to issue 21, which > had to do with the source address of the DCA message. It seems that > the resolution of that issue did not get reflected in the draft, so I > am changing that as well. > > Finally, I edited the behaviour rules to not repeat the format > rules. > > The changes can be seen in: > > http://www.arkko.com/publications/send/issues/issue28diff.html > > --Jari This looks good. Greg -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Thu Dec 18 17:47:04 2003 Received: from eagle.ericsson.se (eagle.ericsson.se [193.180.251.53]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA25484 for ; Thu, 18 Dec 2003 17:47:03 -0500 (EST) Received: from esealnt611.al.sw.ericsson.se ([153.88.254.121]) by eagle.ericsson.se (8.12.10/8.12.10/WIREfire-1.8) with ESMTP id hBIMhv8K028671; Thu, 18 Dec 2003 23:43:57 +0100 Received: from tjatte.sw.ericsson.se ([153.88.242.9]) by esealnt611.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id Z1FX7T3L; Thu, 18 Dec 2003 23:45:09 +0100 Received: from sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by tjatte.sw.ericsson.se (8.12.10/8.12.10) with ESMTP id hBIMhuXA016774; Thu, 18 Dec 2003 23:43:56 +0100 (MET) Received: from prdxweb.sw.ericsson.se (localhost [127.0.0.1]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hBIMckIt010439; Thu, 18 Dec 2003 23:38:46 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.12.10/8.12.10/Submit) id hBIMckgs010438; Thu, 18 Dec 2003 23:38:46 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from fridge.docomolabs-usa.com (key1.docomolabs-usa.com [216.98.102.225]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hBIMciIt010422 for ; Thu, 18 Dec 2003 23:38:45 +0100 (MET) Message-ID: <029d01c3c5b7$bf5d0fa0$5b6015ac@dclkempt40> From: "James Kempf" To: Subject: Fw: ID Tracker State Update Notice: draft-ietf-send-psreq Date: Thu, 18 Dec 2003 14:39:07 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit ----- Original Message ----- From: "The IESG" To: ; Sent: Thursday, December 18, 2003 1:08 PM Subject: ID Tracker State Update Notice: draft-ietf-send-psreq > 'State Changes to Approved-announcement to be sent from IESG Evaluation by Amy Vezza' > ID Tracker URL: https://datatracker.ietf.org/public/pidtracker.cgi?command=view_id&dTag=9439&rfc_flag=0 > > -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Thu Dec 18 17:58:35 2003 Received: from penguin-ext.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [193.180.251.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA25839 for ; Thu, 18 Dec 2003 17:58:35 -0500 (EST) Received: from esealnt613.al.sw.ericsson.se ([153.88.254.125]) by penguin-ext.wise.edt.ericsson.se (8.12.10/8.12.10/WIREfire-1.8) with ESMTP id hBIMtYSs021488; Thu, 18 Dec 2003 23:55:35 +0100 (MET) Received: from fnatte.sw.ericsson.se ([153.88.242.8]) by esealnt613.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id ZAWKZ4KM; Thu, 18 Dec 2003 23:55:34 +0100 Received: from sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by fnatte.sw.ericsson.se (8.12.10/8.12.10) with ESMTP id hBIMtHwg008493; Thu, 18 Dec 2003 23:55:17 +0100 (MET) Received: from prdxweb.sw.ericsson.se (localhost [127.0.0.1]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hBIMskIt014000; Thu, 18 Dec 2003 23:54:46 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.12.10/8.12.10/Submit) id hBIMskMC013999; Thu, 18 Dec 2003 23:54:46 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from fep22-app.kolumbus.fi (fep22-0.kolumbus.fi [193.229.0.60]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hBIMsjIt013983 for ; Thu, 18 Dec 2003 23:54:45 +0100 (MET) Received: from kolumbus.fi ([62.248.152.13]) by fep22-app.kolumbus.fi with ESMTP id <20031218225444.UJEZ3524.fep22-app.kolumbus.fi@kolumbus.fi> for ; Fri, 19 Dec 2003 00:54:44 +0200 Message-ID: <3FE23003.4080901@kolumbus.fi> Date: Fri, 19 Dec 2003 00:53:55 +0200 From: Jari Arkko User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20031007 X-Accept-Language: en-us, en MIME-Version: 1.0 To: SEND WG Subject: Fwd (bounced): I-D draft-ietf-send-cga-04.txt Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Securing Neighbor Discovery Working Group of the IETF. Title : Cryptographically Generated Addresses (CGA) Author(s) : T. Aura Filename : draft-ietf-send-cga-04.txt Pages : 25 Date : 2003-12-18 This document describes a method for binding a public signature key to an IPv6 address in the Secure Neighbor Discovery (SEND) protocol. Cryptographically Generated Addresses (CGA) are IPv6 addresses where the interface identifier is generated by computing a cryptographic one-way hash function from a public key and auxiliary parameters. The binding between the public key and the address can be verified by re-computing the hash value and by comparing the hash with the interface identifier. Messages sent from an IPv6 address can be protected by attaching the public key and auxiliary parameters and by signing the message with the corresponding private key. The protection works without a certification authority or other security infrastructure. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-send-cga-04.txt To remove yourself from the IETF Announcement list, send a message to ietf-announce-request with the word unsubscribe in the body of the message. Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-send-cga-04.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-send-cga-04.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Fri Dec 19 03:24:49 2003 Received: from penguin-ext.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [193.180.251.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id DAA28995 for ; Fri, 19 Dec 2003 03:24:48 -0500 (EST) Received: from esealnt610.al.sw.ericsson.se ([153.88.254.120]) by penguin-ext.wise.edt.ericsson.se (8.12.10/8.12.10/WIREfire-1.8) with ESMTP id hBJ8LUSs006811; Fri, 19 Dec 2003 09:21:31 +0100 (MET) Received: from fnatte.sw.ericsson.se ([153.88.242.8]) by esealnt610.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id Z1FTXNM5; Fri, 19 Dec 2003 09:21:37 +0100 Received: from sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by fnatte.sw.ericsson.se (8.12.10/8.12.10) with ESMTP id hBJ8LBwg026812; Fri, 19 Dec 2003 09:21:11 +0100 (MET) Received: from prdxweb.sw.ericsson.se (localhost [127.0.0.1]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hBJ8KMIt007861; Fri, 19 Dec 2003 09:20:22 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.12.10/8.12.10/Submit) id hBJ8KMf1007860; Fri, 19 Dec 2003 09:20:22 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from fep21-app.kolumbus.fi (fep21-0.kolumbus.fi [193.229.0.48]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hBJ8KLIt007856 for ; Fri, 19 Dec 2003 09:20:21 +0100 (MET) Received: from mta.imail.kolumbus.fi ([193.229.5.110]) by fep21-app.kolumbus.fi with ESMTP id <20031219082020.VEZJ27281.fep21-app.kolumbus.fi@mta.imail.kolumbus.fi>; Fri, 19 Dec 2003 10:20:20 +0200 X-Mailer: Openwave WebEngine, version 2.8.10 (webedge20-101-191-20030113) From: To: CC: Subject: Another bounce: CGA Feige-Fiat-Shamir paper Date: Fri, 19 Dec 2003 10:20:20 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-Id: <20031219082020.VEZJ27281.fep21-app.kolumbus.fi@mta.imail.kolumbus.fi> Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit Claude wrote: Concerning CGA, I am attaching to this email a paper that presents a new CGA scheme based on the small prime variation of the Feige-Fiat-Shamir signature scheme. It shows that by properly tuning the security parameters we can get quite some performance improvement over a RSA-based solution... I'd like very much to get the WG feedbacks and comments about this work.. thanks in advance, Claude. ------ Your list admin has placed the paper at: http://www.piuha.net/~jarkko/publications/send/papers/cga-ffs-paper.pdf -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Fri Dec 19 11:05:52 2003 Received: from eagle.ericsson.se (eagle.ericsson.se [193.180.251.53]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA14244 for ; Fri, 19 Dec 2003 11:05:51 -0500 (EST) Received: from esealnt612.al.sw.ericsson.se ([153.88.254.118]) by eagle.ericsson.se (8.12.10/8.12.10/WIREfire-1.8) with ESMTP id hBJFwL8K015272; Fri, 19 Dec 2003 16:58:22 +0100 Received: from tjatte.sw.ericsson.se ([153.88.242.9]) by esealnt612.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id ZAQAA7LT; Fri, 19 Dec 2003 16:58:21 +0100 Received: from sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by tjatte.sw.ericsson.se (8.12.10/8.12.10) with ESMTP id hBJFwKXA001968; Fri, 19 Dec 2003 16:58:20 +0100 (MET) Received: from prdxweb.sw.ericsson.se (localhost [127.0.0.1]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hBJFvHIt022783; Fri, 19 Dec 2003 16:57:17 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.12.10/8.12.10/Submit) id hBJFvHT2022782; Fri, 19 Dec 2003 16:57:17 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from fep06-app.kolumbus.fi (fep06-0.kolumbus.fi [193.229.0.57]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hBJFvGIt022778 for ; Fri, 19 Dec 2003 16:57:16 +0100 (MET) Received: from mta.imail.kolumbus.fi ([193.229.5.114]) by fep06-app.kolumbus.fi with ESMTP id <20031219155716.MZET18555.fep06-app.kolumbus.fi@mta.imail.kolumbus.fi>; Fri, 19 Dec 2003 17:57:16 +0200 X-Mailer: Openwave WebEngine, version 2.8.10 (webedge20-101-191-20030113) From: To: CC: Subject: issue 43 - certs vs. RA prefix checks Date: Fri, 19 Dec 2003 17:57:16 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-Id: <20031219155716.MZET18555.fep06-app.kolumbus.fi@mta.imail.kolumbus.fi> Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit Jonathan Trostle wrote: > there's no mention (from my quick read of the > spec.) regarding whether the host checks that the router advertisement > (and other NDP message) prefixes are contained in the router > certificate prefixes or ranges. If not, what action does the host > take? Suggestion: if not, the host MUST find a new router. I agree. I modified the draft as follows to reflect this: http://www.arkko.com/publications/send/issues/issue43diff.html This change relates to the reception of a PI within an RA. Question: what other situations require this check? Redirect? --Jari -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Fri Dec 19 11:51:19 2003 Received: from penguin-ext.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [193.180.251.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA15600 for ; Fri, 19 Dec 2003 11:51:18 -0500 (EST) Received: from esealnt611.al.sw.ericsson.se ([153.88.254.121]) by penguin-ext.wise.edt.ericsson.se (8.12.10/8.12.10/WIREfire-1.8) with ESMTP id hBJGnYSs021169; Fri, 19 Dec 2003 17:49:34 +0100 (MET) Received: from tjatte.sw.ericsson.se ([153.88.242.9]) by esealnt611.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id Z1FY2B74; Fri, 19 Dec 2003 17:50:48 +0100 Received: from sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by tjatte.sw.ericsson.se (8.12.10/8.12.10) with ESMTP id hBJGnXXA003153; Fri, 19 Dec 2003 17:49:33 +0100 (MET) Received: from prdxweb.sw.ericsson.se (localhost [127.0.0.1]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hBJGnQIt006537; Fri, 19 Dec 2003 17:49:26 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.12.10/8.12.10/Submit) id hBJGnQSZ006535; Fri, 19 Dec 2003 17:49:26 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from fridge.docomolabs-usa.com (key1.docomolabs-usa.com [216.98.102.225]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hBJGnOIt006519 for ; Fri, 19 Dec 2003 17:49:24 +0100 (MET) Message-ID: <00e601c3c650$1b6a4ae0$5b6015ac@dclkempt40> From: "James Kempf" To: Cc: References: <20031219155716.MZET18555.fep06-app.kolumbus.fi@mta.imail.kolumbus.fi> Subject: Re: issue 43 - certs vs. RA prefix checks Date: Fri, 19 Dec 2003 08:49:45 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit Yes, Redirect requires it as well. jak ----- Original Message ----- From: To: Cc: Sent: Friday, December 19, 2003 7:57 AM Subject: issue 43 - certs vs. RA prefix checks > Jonathan Trostle wrote: > > > there's no mention (from my quick read of the > > spec.) regarding whether the host checks that the router advertisement > > (and other NDP message) prefixes are contained in the router > > certificate prefixes or ranges. If not, what action does the host > > take? Suggestion: if not, the host MUST find a new router. > > I agree. I modified the draft as follows to reflect > this: > > http://www.arkko.com/publications/send/issues/issue43diff.html > > This change relates to the reception of a PI within an RA. Question: > what other situations require this check? Redirect? > > --Jari > > > -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Fri Dec 19 11:51:26 2003 Received: from penguin-ext.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [193.180.251.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA15617 for ; Fri, 19 Dec 2003 11:51:26 -0500 (EST) Received: from esealnt613.al.sw.ericsson.se ([153.88.254.125]) by penguin-ext.wise.edt.ericsson.se (8.12.10/8.12.10/WIREfire-1.8) with ESMTP id hBJGkqSs020879; Fri, 19 Dec 2003 17:46:53 +0100 (MET) Received: from tjatte.sw.ericsson.se ([153.88.242.9]) by esealnt613.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id ZAWLFJ4A; Fri, 19 Dec 2003 17:46:52 +0100 Received: from sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by tjatte.sw.ericsson.se (8.12.10/8.12.10) with ESMTP id hBJGkpXA003136; Fri, 19 Dec 2003 17:46:51 +0100 (MET) Received: from prdxweb.sw.ericsson.se (localhost [127.0.0.1]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hBJGkLIt006042; Fri, 19 Dec 2003 17:46:21 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.12.10/8.12.10/Submit) id hBJGkL1O006041; Fri, 19 Dec 2003 17:46:21 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from fridge.docomolabs-usa.com (key1.docomolabs-usa.com [216.98.102.225]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hBJGkJIt006030 for ; Fri, 19 Dec 2003 17:46:20 +0100 (MET) Message-ID: <008301c3c64f$aab9b880$5b6015ac@dclkempt40> From: "James Kempf" To: , Cc: References: <20031219082020.VEZJ27281.fep21-app.kolumbus.fi@mta.imail.kolumbus.fi> Subject: Re: Another bounce: CGA Feige-Fiat-Shamir paper Date: Fri, 19 Dec 2003 08:46:36 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit Hi Claude, Thanx for your email. Obviously, the paper didn't make it through Ericsson's spam filter. At this point, the WG has completed work on draft-ietf-send-cga. Pekka and I just sent it to the IESG this week for publication. jak ----- Original Message ----- From: To: Cc: Sent: Friday, December 19, 2003 12:20 AM Subject: Another bounce: CGA Feige-Fiat-Shamir paper > > Claude wrote: > > Concerning CGA, I am attaching to this email > a paper that presents a new CGA scheme based > on the small prime variation of the Feige-Fiat-Shamir > signature scheme. It shows that by properly tuning the security > parameters we can get quite some performance improvement > over a RSA-based solution... > > I'd like very much to get the WG feedbacks and comments > about this work.. > > thanks in advance, > > Claude. > > ------ > > Your list admin has placed the paper at: > http://www.piuha.net/~jarkko/publications/send/papers/cga-ffs-paper.pdf > > > -------------------------------------------------------------------- > To unsubscribe from this list, send email with "UNSUBSCRIBE" in the > body to . > Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html > -------------------------------------------------------------------- > -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Fri Dec 19 13:22:12 2003 Received: from penguin-ext.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [193.180.251.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA18793 for ; Fri, 19 Dec 2003 13:22:11 -0500 (EST) Received: from esealnt613.al.sw.ericsson.se ([153.88.254.125]) by penguin-ext.wise.edt.ericsson.se (8.12.10/8.12.10/WIREfire-1.8) with ESMTP id hBJIJkSs029513; Fri, 19 Dec 2003 19:19:46 +0100 (MET) Received: from fnatte.sw.ericsson.se ([153.88.242.8]) by esealnt613.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id ZAWLF8G8; Fri, 19 Dec 2003 19:19:45 +0100 Received: from sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by fnatte.sw.ericsson.se (8.12.10/8.12.10) with ESMTP id hBJIJZwg001192; Fri, 19 Dec 2003 19:19:35 +0100 (MET) Received: from prdxweb.sw.ericsson.se (localhost [127.0.0.1]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hBJIIsIt027016; Fri, 19 Dec 2003 19:18:54 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.12.10/8.12.10/Submit) id hBJIIrut027015; Fri, 19 Dec 2003 19:18:53 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from fep20-app.kolumbus.fi (fep20-0.kolumbus.fi [193.229.0.47]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hBJIIqIt027011 for ; Fri, 19 Dec 2003 19:18:53 +0100 (MET) Received: from kolumbus.fi ([62.248.152.13]) by fep20-app.kolumbus.fi with ESMTP id <20031219181852.FYZY15980.fep20-app.kolumbus.fi@kolumbus.fi>; Fri, 19 Dec 2003 20:18:52 +0200 Message-ID: <3FE340DA.5080405@kolumbus.fi> Date: Fri, 19 Dec 2003 20:18:02 +0200 From: Jari Arkko User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20031007 X-Accept-Language: en-us, en MIME-Version: 1.0 To: James Kempf CC: ietf-send@standards.ericsson.net Subject: Re: issue 43 - certs vs. RA prefix checks References: <20031219155716.MZET18555.fep06-app.kolumbus.fi@mta.imail.kolumbus.fi> <00e601c3c650$1b6a4ae0$5b6015ac@dclkempt40> In-Reply-To: <00e601c3c650$1b6a4ae0$5b6015ac@dclkempt40> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit James Kempf wrote: > Yes, Redirect requires it as well. Hmm... does this always apply? What if R1 (who has a cert only for P1) sends a redirect regarding P2, and there's some other router R2 thas has a cert for P2. --Jari -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Fri Dec 19 13:33:15 2003 Received: from eagle.ericsson.se (eagle.ericsson.se [193.180.251.53]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA19061 for ; Fri, 19 Dec 2003 13:33:14 -0500 (EST) Received: from esealnt613.al.sw.ericsson.se ([153.88.254.125]) by eagle.ericsson.se (8.12.10/8.12.10/WIREfire-1.8) with ESMTP id hBJISP8K030772; Fri, 19 Dec 2003 19:28:25 +0100 Received: from fnatte.sw.ericsson.se ([153.88.242.8]) by esealnt613.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id ZAWLF02P; Fri, 19 Dec 2003 19:28:25 +0100 Received: from sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by fnatte.sw.ericsson.se (8.12.10/8.12.10) with ESMTP id hBJISNwg001712; Fri, 19 Dec 2003 19:28:23 +0100 (MET) Received: from prdxweb.sw.ericsson.se (localhost [127.0.0.1]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hBJISDIt028605; Fri, 19 Dec 2003 19:28:13 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.12.10/8.12.10/Submit) id hBJISDjF028604; Fri, 19 Dec 2003 19:28:13 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from fridge.docomolabs-usa.com (key1.docomolabs-usa.com [216.98.102.225]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hBJISBIt028585 for ; Fri, 19 Dec 2003 19:28:12 +0100 (MET) Message-ID: <01d401c3c65d$e8509840$5b6015ac@dclkempt40> From: "James Kempf" To: "Jari Arkko" Cc: References: <20031219155716.MZET18555.fep06-app.kolumbus.fi@mta.imail.kolumbus.fi> <00e601c3c650$1b6a4ae0$5b6015ac@dclkempt40> <3FE340DA.5080405@kolumbus.fi> Subject: Re: issue 43 - certs vs. RA prefix checks Date: Fri, 19 Dec 2003 10:28:31 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit Wouldn't H need to have a cert for R2 that listed the prefixes before executing the Redirect? I suppose one could argue that since R1 is trusted, H should trust it's recommendation of R2, but this gets into the issue of transitivity, which is a little tricky. 2461 actually does not require H to send a Router Solicitation to R2, so the base spec has the issue of trust transitivity in it. jak ----- Original Message ----- From: "Jari Arkko" To: "James Kempf" Cc: Sent: Friday, December 19, 2003 10:18 AM Subject: Re: issue 43 - certs vs. RA prefix checks > James Kempf wrote: > > Yes, Redirect requires it as well. > > Hmm... does this always apply? What if R1 (who has a cert > only for P1) sends a redirect regarding P2, and there's some > other router R2 thas has a cert for P2. > > --Jari > > -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Fri Dec 19 17:22:51 2003 Received: from albatross-ext.wise.edt.ericsson.se (albatross-ext.wise.edt.ericsson.se [193.180.251.49]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA00128 for ; Fri, 19 Dec 2003 17:22:50 -0500 (EST) Received: from esealnt611.al.sw.ericsson.se ([153.88.254.121]) by albatross-ext.wise.edt.ericsson.se (8.12.10/8.12.10/WIREfire-1.8) with ESMTP id hBJMJmI2016629; Fri, 19 Dec 2003 23:19:48 +0100 (MET) Received: from tjatte.sw.ericsson.se ([153.88.242.9]) by esealnt611.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id Z1FYJ9MQ; Fri, 19 Dec 2003 23:21:03 +0100 Received: from sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by tjatte.sw.ericsson.se (8.12.10/8.12.10) with ESMTP id hBJMJlXA005347; Fri, 19 Dec 2003 23:19:47 +0100 (MET) Received: from prdxweb.sw.ericsson.se (localhost [127.0.0.1]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hBJMJ6It022359; Fri, 19 Dec 2003 23:19:06 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.12.10/8.12.10/Submit) id hBJMJ6QN022358; Fri, 19 Dec 2003 23:19:06 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from fep21-app.kolumbus.fi (fep21-0.kolumbus.fi [193.229.0.48]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hBJMJ5It022354 for ; Fri, 19 Dec 2003 23:19:05 +0100 (MET) Received: from kolumbus.fi ([62.248.152.13]) by fep21-app.kolumbus.fi with ESMTP id <20031219221904.IMMJ27281.fep21-app.kolumbus.fi@kolumbus.fi>; Sat, 20 Dec 2003 00:19:04 +0200 Message-ID: <3FE37925.90305@kolumbus.fi> Date: Sat, 20 Dec 2003 00:18:13 +0200 From: Jari Arkko User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20031007 X-Accept-Language: en-us, en MIME-Version: 1.0 To: James Kempf CC: ietf-send@standards.ericsson.net Subject: Re: issue 43 - certs vs. RA prefix checks References: <20031219155716.MZET18555.fep06-app.kolumbus.fi@mta.imail.kolumbus.fi> <00e601c3c650$1b6a4ae0$5b6015ac@dclkempt40> <3FE340DA.5080405@kolumbus.fi> <01d401c3c65d$e8509840$5b6015ac@dclkempt40> In-Reply-To: <01d401c3c65d$e8509840$5b6015ac@dclkempt40> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit James Kempf wrote: > Wouldn't H need to have a cert for R2 that listed the prefixes before > executing the Redirect? > > I suppose one could argue that since R1 is trusted, H should trust it's > recommendation of R2, but this gets into the issue of transitivity, which is > a little tricky. 2461 actually does not require H to send a Router > Solicitation to R2, so the base spec has the issue of trust transitivity in > it. Lets think about this again. What is a redirect, really? Its not a declaration of the advertised prefixes of a router. Its a declaration that you should a given destination is behind another router. So in this case the Redirect Destination Address may have nothing to do with the prefixes assigned to the router. Clearly, we are not certifying routing tables in SEND... Also, the Target Address field is the link-local address of the better router, so this address can not be compared to the certificate ranges either. So one could perhaps make the conclusion that Redirects do not need to be checked for consistency to the cert address ranges. However, there is one complication: the usage of Redirect to announce that the destination is really on-link. In this case Target Address equals Destination Address. It seems weird that a certified router (prefix = P) could not advertise a prefix Q (P != Q) but could send a Redirects to everyone who wishes to send packets to Q. And tell them that Q is really on link. So this leads me to believe that some new text is needed for the Redirect case. See for yourselves: http://www.arkko.com/publications/send/issues/issue43diff.html Am I missing something, or is this everything? --Jari -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Fri Dec 19 17:36:26 2003 Received: from albatross-ext.wise.edt.ericsson.se (albatross-ext.wise.edt.ericsson.se [193.180.251.49]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA00682 for ; Fri, 19 Dec 2003 17:36:25 -0500 (EST) Received: from esealnt613.al.sw.ericsson.se ([153.88.254.125]) by albatross-ext.wise.edt.ericsson.se (8.12.10/8.12.10/WIREfire-1.8) with ESMTP id hBJMYRI2017845; Fri, 19 Dec 2003 23:34:27 +0100 (MET) Received: from tjatte.sw.ericsson.se ([153.88.242.9]) by esealnt613.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id ZAWLHPAA; Fri, 19 Dec 2003 23:34:27 +0100 Received: from sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by tjatte.sw.ericsson.se (8.12.10/8.12.10) with ESMTP id hBJMYQXA005544; Fri, 19 Dec 2003 23:34:26 +0100 (MET) Received: from prdxweb.sw.ericsson.se (localhost [127.0.0.1]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hBJMXvIt025710; Fri, 19 Dec 2003 23:33:57 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.12.10/8.12.10/Submit) id hBJMXvsd025709; Fri, 19 Dec 2003 23:33:57 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from fridge.docomolabs-usa.com (key1.docomolabs-usa.com [216.98.102.225]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hBJMXsIt025705 for ; Fri, 19 Dec 2003 23:33:55 +0100 (MET) Message-ID: <032a01c3c680$3bcf49e0$5b6015ac@dclkempt40> From: "James Kempf" To: "Jari Arkko" Cc: References: <20031219155716.MZET18555.fep06-app.kolumbus.fi@mta.imail.kolumbus.fi> <00e601c3c650$1b6a4ae0$5b6015ac@dclkempt40> <3FE340DA.5080405@kolumbus.fi> <01d401c3c65d$e8509840$5b6015ac@dclkempt40> <3FE37925.90305@kolumbus.fi> Subject: Re: issue 43 - certs vs. RA prefix checks Date: Fri, 19 Dec 2003 14:34:15 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit Jari, This looks OK. Rereading 2461 more carefully, I now see that, as you state, the Redirect only applies to a particular destination address, and not for changing the default router. So, I agree that there isn't a need for prefix checking, except when informing the node that a particular prefix is on link. The proposed text looks fine. jak ----- Original Message ----- From: "Jari Arkko" To: "James Kempf" Cc: Sent: Friday, December 19, 2003 2:18 PM Subject: Re: issue 43 - certs vs. RA prefix checks > James Kempf wrote: > > Wouldn't H need to have a cert for R2 that listed the prefixes before > > executing the Redirect? > > > > I suppose one could argue that since R1 is trusted, H should trust it's > > recommendation of R2, but this gets into the issue of transitivity, which is > > a little tricky. 2461 actually does not require H to send a Router > > Solicitation to R2, so the base spec has the issue of trust transitivity in > > it. > > Lets think about this again. What is a redirect, really? Its not a > declaration of the advertised prefixes of a router. Its a declaration that > you should a given destination is behind another router. So in this > case the Redirect Destination Address may have nothing to do with the > prefixes assigned to the router. Clearly, we are not certifying routing > tables in SEND... Also, the Target Address field is the link-local > address of the better router, so this address can not be compared to > the certificate ranges either. > > So one could perhaps make the conclusion that Redirects do not > need to be checked for consistency to the cert address ranges. > > However, there is one complication: the usage of Redirect to > announce that the destination is really on-link. In this case > Target Address equals Destination Address. It seems weird that > a certified router (prefix = P) could not advertise a prefix Q > (P != Q) but could send a Redirects to everyone who wishes to > send packets to Q. And tell them that Q is really on link. > > So this leads me to believe that some new text is needed for > the Redirect case. See for yourselves: > > http://www.arkko.com/publications/send/issues/issue43diff.html > > Am I missing something, or is this everything? > > --Jari > > -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Sat Dec 20 05:30:06 2003 Received: from eagle.ericsson.se (eagle.ericsson.se [193.180.251.53]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id FAA04937 for ; Sat, 20 Dec 2003 05:30:06 -0500 (EST) Received: from esealnt611.al.sw.ericsson.se ([153.88.254.121]) by eagle.ericsson.se (8.12.10/8.12.10/WIREfire-1.8) with ESMTP id hBKAM58K007380; Sat, 20 Dec 2003 11:22:06 +0100 Received: from fnatte.sw.ericsson.se ([153.88.242.8]) by esealnt611.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id Z1FYNYRY; Sat, 20 Dec 2003 11:23:21 +0100 Received: from sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by fnatte.sw.ericsson.se (8.12.10/8.12.10) with ESMTP id hBKALrwg003062; Sat, 20 Dec 2003 11:21:53 +0100 (MET) Received: from prdxweb.sw.ericsson.se (localhost [127.0.0.1]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hBKAIDIt019733; Sat, 20 Dec 2003 11:18:13 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.12.10/8.12.10/Submit) id hBKAIDsu019732; Sat, 20 Dec 2003 11:18:13 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from fep21-app.kolumbus.fi (fep21-0.kolumbus.fi [193.229.0.48]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hBKAICIt019728 for ; Sat, 20 Dec 2003 11:18:12 +0100 (MET) Received: from kolumbus.fi ([62.248.152.13]) by fep21-app.kolumbus.fi with ESMTP id <20031220101812.OGHQ27281.fep21-app.kolumbus.fi@kolumbus.fi>; Sat, 20 Dec 2003 12:18:12 +0200 Message-ID: <3FE421B0.1000702@kolumbus.fi> Date: Sat, 20 Dec 2003 12:17:20 +0200 From: Jari Arkko User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20031007 X-Accept-Language: en-us, en MIME-Version: 1.0 To: SEND WG , James Kempf , Pekka Nikander Subject: issue 44 - host to check its own address against router cert prefixes? Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit Jonathan Trostle wrote: > Jonathan Trostle: (2) there's no mention of whether the host checks > that its IP address is contained in the prefixes or ranges in the > router's certificate. Suggestion: if not, the host MUST either find a > new router or obtain a new IP address and recheck. (An IP address > might be obtained using DHCP as well). And James Kempf wrote: > James Kempf: I think there's an implicit assumption that CGAs are > being used with secure RAs, which might not necessarily be the case, > so there probably should be some text in the spec about this. First I'd like to understand this issue better. I think you are not talking about the router's own address -- because the router's address is either (a) link local or (b) given through the R flag and automatically within an advertised prefix. So I think we can agree that it is not possible for routers to give wrong addresses, as long as their RAs are valid. Secondly, we have the issue of the host's own addresses. I don't this is a matter of just checking if we have the right type of address already. When we receive the RA, we are building the default router list as well as a list of prefixes for the link. If this is the first time we hear from this router, it is possible that we have not heard from the prefixes yet either. So in this case we would need to adopt the router as least as far as prefixes and address autoconfiguration goes. When DAD completes later, at that point the host may for the first time have an address that is in the range of the router's certificates. I do not think we need to do anything special to cause address autoconfiguration to be performed for new prefixes, standard ND already takes care of that. But the question is perhaps what to do in terms of routing. As far as I know -- but I could easily have missed something - RFC 2461 does not restrict the use of a default router for just traffic that uses this router's prefixes. There is also no rule that says we can only use a default router only if we have succeeded in defining an address for one of the prefixes advertised by the router. Is there a need to change this for SEND? I'm not sure I see a need for a host to define an address P::IID just because it wants to send something from Q::IID over a router that only advertises P. There is no connection between P and Q, so I'm not sure what this would help. However, is there a need to restrict all traffic out from the router to use just those prefixes that the router advertised and is authorized to advertise? If we did this, it would provide automatic ingress filtering... but perhaps it would be too limiting. If we do not do this, a legitimate router could appear in other links, and fool hosts to use itself as a default router, even for traffic which uses prefixes that the router is not authorized to advertise. I guess the question is what the certificates actually authorize the router to do: to advertise prefixes, or to route traffic? Our own document seems confused on this point. Extract from Section 6.1.1: The X.509 IP address extension MUST contain at least one addressesOrRanges element that contains an addressPrefix element with an IPv6 address prefix for a prefix the router or the intermediate entity is authorized to advertise. If the entity is allowed to route any prefix, the used IPv6 address prefix is the null prefix, 0/0. We have the following alternatives: (1) Define the IP addresses as *advertisement* rights. No checks for using a default router. (2) Define the IP addresses as *routing* rights. Then routers might actually advertise less prefixes than they are authorized to route. A check would be needed to prevent hosts from using a default router for packets that have a source address not belonging to the authorized set. (3) Do (1) now and work on (2) later. I think option (2) sounds the right one. What do others think? Are there any issues in the host routing check that this would imply? Note that it would be at least conceptually a per-packet check. --Jari -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Sun Dec 21 18:07:50 2003 Received: from albatross-ext.wise.edt.ericsson.se (albatross-ext.wise.edt.ericsson.se [193.180.251.49]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA09522 for ; Sun, 21 Dec 2003 18:07:49 -0500 (EST) Received: from esealnt613.al.sw.ericsson.se ([153.88.254.125]) by albatross-ext.wise.edt.ericsson.se (8.12.10/8.12.10/WIREfire-1.8) with ESMTP id hBLN4hI2022426; Mon, 22 Dec 2003 00:04:44 +0100 (MET) Received: from fnatte.sw.ericsson.se ([153.88.242.8]) by esealnt613.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id ZJAPC49P; Mon, 22 Dec 2003 00:04:43 +0100 Received: from sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by fnatte.sw.ericsson.se (8.12.10/8.12.10) with ESMTP id hBLN4cwg005044; Mon, 22 Dec 2003 00:04:38 +0100 (MET) Received: from prdxweb.sw.ericsson.se (localhost [127.0.0.1]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hBLN3aIt023828; Mon, 22 Dec 2003 00:03:36 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.12.10/8.12.10/Submit) id hBLN3ajf023826; Mon, 22 Dec 2003 00:03:36 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from fep22-app.kolumbus.fi (fep22-0.kolumbus.fi [193.229.0.60]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hBLN3ZIt023821 for ; Mon, 22 Dec 2003 00:03:35 +0100 (MET) Received: from kolumbus.fi ([62.248.170.204]) by fep22-app.kolumbus.fi with ESMTP id <20031221230334.KPCM3524.fep22-app.kolumbus.fi@kolumbus.fi>; Mon, 22 Dec 2003 01:03:34 +0200 Message-ID: <3FE6268F.3030800@kolumbus.fi> Date: Mon, 22 Dec 2003 01:02:39 +0200 From: Jari Arkko User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20031007 X-Accept-Language: en-us, en MIME-Version: 1.0 To: SEND WG , James Kempf Subject: issue 31 -- source address selection Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit I'm trying to close this issue. We have already agreed that Samita's API draft is doing the right thing. I think you James said also that an update of the default source address selection rules for IPv6 & CGAs is not a task that we should do here. Is this correct? What does that leave to be done? Perhaps there is still need to state that the CGA addresses should be used, without stating anything about the preference rule ordering? Also, we may need to provide an informational reference to Samita's draft. How about this, to be inserted to Section 7: By default, a SEND-enabled node SHOULD use only CGAs as its own addresses. Other types of addresses MAY be used in testing, diagnostics or other purposes. However, this document does not describe how to choose between different types of addresses for different communications. A dynamic selection can be provided by an API, such as the one defined in [draft-chakrabarti]. --Jari -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Mon Dec 22 06:01:50 2003 Received: from penguin-ext.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [193.180.251.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA10756 for ; Mon, 22 Dec 2003 06:01:50 -0500 (EST) Received: from esealnt611.al.sw.ericsson.se ([153.88.254.121]) by penguin-ext.wise.edt.ericsson.se (8.12.10/8.12.10/WIREfire-1.8) with ESMTP id hBMAw5Ss026761; Mon, 22 Dec 2003 11:58:05 +0100 (MET) Received: from fnatte.sw.ericsson.se ([153.88.242.8]) by esealnt611.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id Z20T43H7; Mon, 22 Dec 2003 11:59:27 +0100 Received: from sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by fnatte.sw.ericsson.se (8.12.10/8.12.10) with ESMTP id hBMAvowg002636; Mon, 22 Dec 2003 11:57:50 +0100 (MET) Received: from prdxweb.sw.ericsson.se (localhost [127.0.0.1]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hBMAujIt019770; Mon, 22 Dec 2003 11:56:45 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.12.10/8.12.10/Submit) id hBMAuiLq019769; Mon, 22 Dec 2003 11:56:44 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from fep06-app.kolumbus.fi (fep06-0.kolumbus.fi [193.229.0.57]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hBMAuhIt019765 for ; Mon, 22 Dec 2003 11:56:43 +0100 (MET) Received: from mta.imail.kolumbus.fi ([193.229.5.114]) by fep06-app.kolumbus.fi with ESMTP id <20031222105643.FUYQ18555.fep06-app.kolumbus.fi@mta.imail.kolumbus.fi> for ; Mon, 22 Dec 2003 12:56:43 +0200 X-Mailer: Openwave WebEngine, version 2.8.10 (webedge20-101-191-20030113) From: To: Subject: issue 33 - SEND and L2 security Date: Mon, 22 Dec 2003 12:56:43 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-Id: <20031222105643.FUYQ18555.fep06-app.kolumbus.fi@mta.imail.kolumbus.fi> Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit My intention is to close this issue. I think we agree that there are issues if there is no L2 security and that there are issues if there is no L2 - L3 binding. In terms of our document, I think we agreed about the following: o Say that there is need for L2 security, as the current first paragraph in Section 11.1 does. o Add text to state that a binding between L2 and L3 would be desirable but that this document does not cover it. o Remove detailed discussion of IEEE 802 security specifications; this is not in our scope. Note that this changes the parts that we already agreed in issue 24. But I think the new text is better, as it still describes the issues but does not go into the details of specific link layers. I also downgraded the "MUST use link layer security" to a SHOULD. I think it would make sense to use SEND even if you did not have a secure link layer -- such as on an IETF wireless network -- and doing so should not violate the standards. Here's the new Section 11.1 text relating to this issue: SEND does not compensate for an insecure link layer. For instance, there is no assurance that payload packets actually come from the same peer that the Neighbor Discovery protocol was run against. SEND does not provide confidentiality for Neighbor Discovery communications. There may be no cryptographic binding in SEND between the link layer frame address and the IPv6 address. On an insecure link layer that allows nodes to spoof the link layer address of other nodes, an attacker could disrupt IP service by sending out a Neighbor Advertisement having the source address on the link layer frame of a victim, a valid CGA address and a valid signature corresponding to itself, and a Target Link-layer Address extension corresponding to the victim. The attacker could then proceed to cause a traffic stream to bombard the victim in a DoS attack. To protect against such attacks, link layer security SHOULD be used. Even on a secure link layer, SEND does not require that the addresses on the link layer and Neighbor Advertisements correspond to each other. However, it is RECOMMENDED that such checks be performed where this is possible on the given link layer technology. The modifications are also visible in http://www.piuha.net/~jarkko/publications/send/issues/issue33diff.html Comments appreciated. -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Mon Dec 22 09:09:41 2003 Received: from penguin-ext.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [193.180.251.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA17215 for ; Mon, 22 Dec 2003 09:09:40 -0500 (EST) Received: from esealnt613.al.sw.ericsson.se ([153.88.254.125]) by penguin-ext.wise.edt.ericsson.se (8.12.10/8.12.10/WIREfire-1.8) with ESMTP id hBME20Ss004570; Mon, 22 Dec 2003 15:02:00 +0100 (MET) Received: from tjatte.sw.ericsson.se ([153.88.242.9]) by esealnt613.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id ZJAPJVQC; Mon, 22 Dec 2003 15:01:59 +0100 Received: from sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by tjatte.sw.ericsson.se (8.12.10/8.12.10) with ESMTP id hBME1wXA020810; Mon, 22 Dec 2003 15:01:59 +0100 (MET) Received: from prdxweb.sw.ericsson.se (localhost [127.0.0.1]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hBMDxqIt001235; Mon, 22 Dec 2003 14:59:52 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.12.10/8.12.10/Submit) id hBMDxqI4001234; Mon, 22 Dec 2003 14:59:52 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from fep06-app.kolumbus.fi (fep06-0.kolumbus.fi [193.229.0.57]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hBMDxpIt001230 for ; Mon, 22 Dec 2003 14:59:51 +0100 (MET) Received: from mta.imail.kolumbus.fi ([193.229.5.114]) by fep06-app.kolumbus.fi with ESMTP id <20031222135951.HBHI18555.fep06-app.kolumbus.fi@mta.imail.kolumbus.fi>; Mon, 22 Dec 2003 15:59:51 +0200 X-Mailer: Openwave WebEngine, version 2.8.10 (webedge20-101-191-20030113) From: To: CC: Subject: issue 45 -- NA issues, mixed mode Date: Mon, 22 Dec 2003 15:59:51 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-Id: <20031222135951.HBHI18555.fep06-app.kolumbus.fi@mta.imail.kolumbus.fi> Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit Pasi, > Section 9 says that "Unsolicited Neighbor and Router Advertisements > sent by a SEND router MUST be secured.". I guess the text about > unsolicited NAs applies also to non-router SEND nodes? Section 9 text has now been clarified & simplified. It now reads as follows: In a mixed environment SEND nodes follow the protocols defined in RFC 2461 and RFC 2462 with the following exceptions: All solicitations sent by SEND nodes MUST be secured. Unsolicited advertisements sent by a SEND node MUST be secured. A SEND node MUST send a secured advertisement in response to a secured solicitation. Advertisements sent in response to an insecure solicitation MUST be secured as well, but MUST NOT contain the Nonce option. ... > Section 11.2.1: Should this section also mention the case when > cache entries are created as a side effect of non-DAD Neighbor > Solicitation, or when cache entries are updated as a result of > unsolicited Neighbor Advertisement? It should! In addition I have shortened the text and removed the subsections. Here's the updated version: This threat is defined in Section 4.1.1 of [27]. The threat is that a spoofed message may cause a false entry in a node's Neighbor Cache. There are two cases: 1. Entries made as a side effect of a Neighbor Solicitation or Router Solicitation. A router receiving a Router Solicitation with a firm IPv6 source address and a Target Link-Layer Address extension inserts an entry for the IPv6 address into its Neighbor Cache. Also, a node performing Duplicate Address Detection (DAD) that receives a Neighbor Solicitation for the same address regards the situation as a collision and ceases to solicit for the address. In either case, SEND counters these treats by requiring the Signature and CGA options to be present in such solicitations. As discussed in Section 8.1, SEND nodes preferably send Router Solicitations with a CGA source address, which the router can verify, so the Neighbor Cache binding is correct. If a SEND node must send a Router Solicitation with the unspecified address, the router will not update its Neighbor Cache, as per RFC 2461. 2. Entries made as a result of a Neighbor Advertisement message. SEND counters this threat by requiring the Signature and CGA options to be present in these advertisements. See also Section 11.2.5, below, for discussion about replay protection and timestamps. In addition, the normative part of the document appears incorrect, as the CGA option is not required for solicitations that might have an effect. This has now been corrected, Section 7: All Neighbor Solicitation messages sent MUST contain the Nonce, Timestamp, CGA, and Signature options. The Signature option MUST be constructed with the sender's key pair, using the configured authorization method(s), and if applicable, using the trust anchor and/or minSec value as configured. And Section 8: Router Solicitation messages sent with an unspecified source address MUST have the Nonce and Timestamp options. Other Router Solicitations MUST have the Nonce, Timestamp, CGA, and Signature options. The Signature option MUST be configured with the sender's key pair, setting the authorization method and additional information as is configured. > (BTW, I have a feeling that some parts of the document don't > take unsolicited NAs into account) I went through the document but could not find anything alarming about this. You do not have a specific part of the document in mind? --Jari -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Mon Dec 22 09:33:12 2003 Received: from penguin-ext.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [193.180.251.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA18059 for ; Mon, 22 Dec 2003 09:33:11 -0500 (EST) Received: from esealnt613.al.sw.ericsson.se ([153.88.254.125]) by penguin-ext.wise.edt.ericsson.se (8.12.10/8.12.10/WIREfire-1.8) with ESMTP id hBMEVHSs010758; Mon, 22 Dec 2003 15:31:17 +0100 (MET) Received: from fnatte.sw.ericsson.se ([153.88.242.8]) by esealnt613.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id ZJAPJ8B9; Mon, 22 Dec 2003 15:31:16 +0100 Received: from sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by fnatte.sw.ericsson.se (8.12.10/8.12.10) with ESMTP id hBMEVEwg015722; Mon, 22 Dec 2003 15:31:14 +0100 (MET) Received: from prdxweb.sw.ericsson.se (localhost [127.0.0.1]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hBMETQIt007966; Mon, 22 Dec 2003 15:29:26 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.12.10/8.12.10/Submit) id hBMETQoM007965; Mon, 22 Dec 2003 15:29:26 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from fep06-app.kolumbus.fi (fep06-0.kolumbus.fi [193.229.0.57]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hBMETPIt007961 for ; Mon, 22 Dec 2003 15:29:25 +0100 (MET) Received: from mta.imail.kolumbus.fi ([193.229.5.114]) by fep06-app.kolumbus.fi with ESMTP id <20031222142925.HFHU18555.fep06-app.kolumbus.fi@mta.imail.kolumbus.fi>; Mon, 22 Dec 2003 16:29:25 +0200 X-Mailer: Openwave WebEngine, version 2.8.10 (webedge20-101-191-20030113) From: To: CC: Subject: issue 46 - fuzz factor Date: Mon, 22 Dec 2003 16:29:25 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-Id: <20031222142925.HFHU18555.fep06-app.kolumbus.fi@mta.imail.kolumbus.fi> Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit Pasi, > Section 5.4.2.2: The timestamp should also have some fuzz > factor taking the typical resolution of timestamps (e.g., 1 second) > into account. Otherwise we get a situation like this: > > (Let's assume that both hosts have perfectly synchronized and accurate > clocks, timestamp resolution is 1 second, and transmission delay is 100 ms.) > > 10.100 Sender sends a message, with Timestamp value 10 > 10.200 Packet is received (RDnew=10, TSnew=10). > This is a new message, so we store RDlast=10, TSlast=10. > 11.950 Sender sends another message, with Timestamp value 11 > 12.050 Packet is received (RDnew=12, TSnew=11). This is a known > peer, so we compare 11 > 10 + (12-10)*(1-0.01). > Unfortunately, this fails! I thought about this for a while, and at first it seemed like requiring a higher clock resolution would solve it. But I don't think we can mandate more than one second's resolution for all possible types of nodes. So your suggestion of a fuzz factor sounds reasonable. Here's the new text: Receivers SHOULD be configured with an allowed timestamp Delta value, a "fuzz factor" for comparisons, and an allowed clock drift parameter. The recommended default value for the allowed Delta is 3,600 seconds (1 hour), for fuzz factor 1 second, and for clock drift 1% (0.01). ... o When a message is received from a known peer, i.e., one that already has an entry in the cache, the time stamp is checked against the previously received SEND message: TSnew + fuzz > TSlast + (RDnew - RDlast) x (1 - drift) - fuzz -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Mon Dec 22 12:53:57 2003 Received: from eagle.ericsson.se (eagle.ericsson.se [193.180.251.53]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA26941 for ; Mon, 22 Dec 2003 12:53:52 -0500 (EST) Received: from esealnt610.al.sw.ericsson.se ([153.88.254.120]) by eagle.ericsson.se (8.12.10/8.12.10/WIREfire-1.8) with ESMTP id hBMHo38K008640; Mon, 22 Dec 2003 18:50:04 +0100 Received: from tjatte.sw.ericsson.se ([153.88.242.9]) by esealnt610.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id ZJBM8RSM; Mon, 22 Dec 2003 18:50:10 +0100 Received: from sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by tjatte.sw.ericsson.se (8.12.10/8.12.10) with ESMTP id hBMHo2XA023636; Mon, 22 Dec 2003 18:50:02 +0100 (MET) Received: from prdxweb.sw.ericsson.se (localhost [127.0.0.1]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hBMHnJIt023769; Mon, 22 Dec 2003 18:49:19 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.12.10/8.12.10/Submit) id hBMHnJ1a023768; Mon, 22 Dec 2003 18:49:19 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from fridge.docomolabs-usa.com (key1.docomolabs-usa.com [216.98.102.225]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hBMHnHIt023764 for ; Mon, 22 Dec 2003 18:49:18 +0100 (MET) Message-ID: <039001c3c8b3$f38ea960$5b6015ac@dclkempt40> From: "James Kempf" To: "Jari Arkko" , "SEND WG" , "Pekka Nikander" References: <3FE421B0.1000702@kolumbus.fi> Subject: Re: issue 44 - host to check its own address against router cert prefixes? Date: Mon, 22 Dec 2003 09:49:30 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit I agree with option 2 but I don't think we need to specify how to do ingress filtering in the document, though it might be worthwhile to reference a document where it is described. A reference might be hard to track down, though, since it is such a commonly known security technique. jak ----- Original Message ----- From: "Jari Arkko" To: "SEND WG" ; "James Kempf" ; "Pekka Nikander" Sent: Saturday, December 20, 2003 2:17 AM Subject: issue 44 - host to check its own address against router cert prefixes? > > Jonathan Trostle wrote: > > > Jonathan Trostle: (2) there's no mention of whether the host checks > > that its IP address is contained in the prefixes or ranges in the > > router's certificate. Suggestion: if not, the host MUST either find a > > new router or obtain a new IP address and recheck. (An IP address > > might be obtained using DHCP as well). > > And James Kempf wrote: > > > James Kempf: I think there's an implicit assumption that CGAs are > > being used with secure RAs, which might not necessarily be the case, > > so there probably should be some text in the spec about this. > > First I'd like to understand this issue better. I think > you are not talking about the router's own address -- because > the router's address is either (a) link local or (b) given > through the R flag and automatically within an advertised prefix. > So I think we can agree that it is not possible for routers > to give wrong addresses, as long as their RAs are valid. > > Secondly, we have the issue of the host's own addresses. > I don't this is a matter of just checking if we have the > right type of address already. When we receive the RA, we > are building the default router list as well as a list of > prefixes for the link. If this is the first time we hear > from this router, it is possible that we have not heard > from the prefixes yet either. So in this case we would need > to adopt the router as least as far as prefixes and address > autoconfiguration goes. When DAD completes later, at that > point the host may for the first time have an address that > is in the range of the router's certificates. > > I do not think we need to do anything special to cause > address autoconfiguration to be performed for new prefixes, > standard ND already takes care of that. > > But the question is perhaps what to do in terms of routing. > As far as I know -- but I could easily have missed something - > RFC 2461 does not restrict the use of a default router for > just traffic that uses this router's prefixes. There is also > no rule that says we can only use a default router only if > we have succeeded in defining an address for one of the > prefixes advertised by the router. > > Is there a need to change this for SEND? I'm not sure I > see a need for a host to define an address P::IID just > because it wants to send something from Q::IID over a > router that only advertises P. There is no connection > between P and Q, so I'm not sure what this would help. > > However, is there a need to restrict all traffic out > from the router to use just those prefixes that the > router advertised and is authorized to advertise? > If we did this, it would provide automatic ingress > filtering... but perhaps it would be too limiting. > > If we do not do this, a legitimate router could > appear in other links, and fool hosts to use itself > as a default router, even for traffic which uses > prefixes that the router is not authorized to > advertise. > > I guess the question is what the certificates actually > authorize the router to do: to advertise prefixes, > or to route traffic? Our own document seems confused > on this point. Extract from Section 6.1.1: > > The X.509 IP address extension MUST contain at least one > addressesOrRanges element that contains an addressPrefix element with > an IPv6 address prefix for a prefix the router or the intermediate > entity is authorized to advertise. If the entity is allowed to route > any prefix, the used IPv6 address prefix is the null prefix, 0/0. > > We have the following alternatives: > > (1) Define the IP addresses as *advertisement* rights. No checks > for using a default router. > (2) Define the IP addresses as *routing* rights. Then routers > might actually advertise less prefixes than they are authorized > to route. A check would be needed to prevent hosts from using > a default router for packets that have a source address not > belonging to the authorized set. > (3) Do (1) now and work on (2) later. > > I think option (2) sounds the right one. What do others think? > Are there any issues in the host routing check that this would > imply? Note that it would be at least conceptually a per-packet > check. > > --Jari > > > -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Mon Dec 22 12:54:08 2003 Received: from albatross-ext.wise.edt.ericsson.se (albatross-ext.wise.edt.ericsson.se [193.180.251.49]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA26944 for ; Mon, 22 Dec 2003 12:54:07 -0500 (EST) Received: from esealnt612.al.sw.ericsson.se ([153.88.254.118]) by albatross-ext.wise.edt.ericsson.se (8.12.10/8.12.10/WIREfire-1.8) with ESMTP id hBMHp7I2028331; Mon, 22 Dec 2003 18:51:07 +0100 (MET) Received: from fnatte.sw.ericsson.se ([153.88.242.8]) by esealnt612.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id ZJAD4VZ4; Mon, 22 Dec 2003 18:51:07 +0100 Received: from sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by fnatte.sw.ericsson.se (8.12.10/8.12.10) with ESMTP id hBMHp0wg025225; Mon, 22 Dec 2003 18:51:00 +0100 (MET) Received: from prdxweb.sw.ericsson.se (localhost [127.0.0.1]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hBMHoqIt024082; Mon, 22 Dec 2003 18:50:52 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.12.10/8.12.10/Submit) id hBMHoqF8024081; Mon, 22 Dec 2003 18:50:52 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from fridge.docomolabs-usa.com (key1.docomolabs-usa.com [216.98.102.225]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hBMHooIt024077 for ; Mon, 22 Dec 2003 18:50:50 +0100 (MET) Message-ID: <039801c3c8b4$2fef3460$5b6015ac@dclkempt40> From: "James Kempf" To: , References: <20031222105643.FUYQ18555.fep06-app.kolumbus.fi@mta.imail.kolumbus.fi> Subject: Re: issue 33 - SEND and L2 security Date: Mon, 22 Dec 2003 09:51:11 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit Sounds fine. jak ----- Original Message ----- From: To: Sent: Monday, December 22, 2003 2:56 AM Subject: issue 33 - SEND and L2 security > My intention is to close this issue. I think we agree that there > are issues if there is no L2 security and that there are issues > if there is no L2 - L3 binding. In terms of our document, I think > we agreed about the following: > > o Say that there is need for L2 security, as the current first > paragraph in Section 11.1 does. > > o Add text to state that a binding between L2 and L3 would be > desirable but that this document does not cover it. > > o Remove detailed discussion of IEEE 802 security specifications; > this is not in our scope. > > Note that this changes the parts that we already agreed in issue 24. > But I think the new text is better, as it still describes the issues > but does not go into the details of specific link layers. > > I also downgraded the "MUST use link layer security" to a SHOULD. I > think it would make sense to use SEND even if you did not have a > secure link layer -- such as on an IETF wireless network -- and doing > so should not violate the standards. > > Here's the new Section 11.1 text relating to this issue: > > SEND does not compensate for an insecure link layer. For instance, > there is no assurance that payload packets actually come from the > same peer that the Neighbor Discovery protocol was run against. > > SEND does not provide confidentiality for Neighbor Discovery > communications. > > There may be no cryptographic binding in SEND between the link layer > frame address and the IPv6 address. On an insecure link layer that > allows nodes to spoof the link layer address of other nodes, an > attacker could disrupt IP service by sending out a Neighbor > Advertisement having the source address on the link layer frame of a > victim, a valid CGA address and a valid signature corresponding to > itself, and a Target Link-layer Address extension corresponding to > the victim. The attacker could then proceed to cause a traffic > stream to bombard the victim in a DoS attack. To protect against > such attacks, link layer security SHOULD be used. > > Even on a secure link layer, SEND does not require that the addresses > on the link layer and Neighbor Advertisements correspond to each > other. However, it is RECOMMENDED that such checks be performed > where this is possible on the given link layer technology. > > The modifications are also visible in > http://www.piuha.net/~jarkko/publications/send/issues/issue33diff.html > > Comments appreciated. > > > -------------------------------------------------------------------- > To unsubscribe from this list, send email with "UNSUBSCRIBE" in the > body to . > Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html > -------------------------------------------------------------------- > -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Mon Dec 22 13:07:11 2003 Received: from albatross-ext.wise.edt.ericsson.se (albatross-ext.wise.edt.ericsson.se [193.180.251.49]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA28024 for ; Mon, 22 Dec 2003 13:07:10 -0500 (EST) Received: from esealnt613.al.sw.ericsson.se ([153.88.254.125]) by albatross-ext.wise.edt.ericsson.se (8.12.10/8.12.10/WIREfire-1.8) with ESMTP id hBMI4BI2029932; Mon, 22 Dec 2003 19:04:11 +0100 (MET) Received: from fnatte.sw.ericsson.se ([153.88.242.8]) by esealnt613.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id ZJAPLRMF; Mon, 22 Dec 2003 19:04:11 +0100 Received: from sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by fnatte.sw.ericsson.se (8.12.10/8.12.10) with ESMTP id hBMI49wg025920; Mon, 22 Dec 2003 19:04:09 +0100 (MET) Received: from prdxweb.sw.ericsson.se (localhost [127.0.0.1]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hBMI3ZIt027162; Mon, 22 Dec 2003 19:03:35 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.12.10/8.12.10/Submit) id hBMI3ZAd027161; Mon, 22 Dec 2003 19:03:35 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from fridge.docomolabs-usa.com (key1.docomolabs-usa.com [216.98.102.225]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hBMI3XIt027144 for ; Mon, 22 Dec 2003 19:03:33 +0100 (MET) Message-ID: <03cc01c3c8b5$dc2d7bf0$5b6015ac@dclkempt40> From: "James Kempf" To: Cc: , "Pekka Nikander" References: Subject: Re: Document Action: 'IPv6 Neighbor Discovery trust models and threats' to Informational RFC Date: Mon, 22 Dec 2003 10:03:10 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit Folks, As this message indicates, the IESG has just approved the psreq draft as an Informational RFC. I would like to thank Margaret for her prompt action on the document in the IESG, and Pekka and the Working Group for their prompt turnaround of the IESG comments. jak ----- Original Message ----- From: "The IESG" To: Cc: "Internet Architecture Board" ; "RFC Editor" ; Sent: Monday, December 22, 2003 9:53 AM Subject: Document Action: 'IPv6 Neighbor Discovery trust models and threats' to Informational RFC > The IESG has approved the following document: > > - 'IPv6 Neighbor Discovery trust models and threats ' > as an Informational RFC > > This document is the product of the Securing Neighbor Discovery Working Group. > > The IESG contact persons are Margaret Wasserman and Thomas Narten. > > > > > -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html -------------------------------------------------------------------- From jari.arkko@lmf.ericsson.se Mon Dec 22 13:57:55 2003 Received: from eagle.ericsson.se (eagle.ericsson.se [193.180.251.53]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA00158 for ; Mon, 22 Dec 2003 13:57:53 -0500 (EST) Received: from esealnt613.al.sw.ericsson.se ([153.88.254.125]) by eagle.ericsson.se (8.12.10/8.12.10/WIREfire-1.8) with ESMTP id hBMItd8K014240; Mon, 22 Dec 2003 19:55:39 +0100 Received: from tjatte.sw.ericsson.se ([153.88.242.9]) by esealnt613.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id ZJAPL7ML; Mon, 22 Dec 2003 19:55:38 +0100 Received: from sw.ericsson.se (prdxweb.sw.ericsson.se [153.88.240.43]) by tjatte.sw.ericsson.se (8.12.10/8.12.10) with ESMTP id hBMItcXA024043; Mon, 22 Dec 2003 19:55:38 +0100 (MET) Received: from prdxweb.sw.ericsson.se (localhost [127.0.0.1]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with ESMTP id hBMIt4It008319; Mon, 22 Dec 2003 19:55:04 +0100 (MET) Received: (from ietfmdomo@localhost) by prdxweb.sw.ericsson.se (8.12.10/8.12.10/Submit) id hBMIt4H2008318; Mon, 22 Dec 2003 19:55:04 +0100 (MET) X-Authentication-Warning: prdxweb.sw.ericsson.se: ietfmdomo set sender to owner-ietf-send@standards.ericsson.net using -f Received: from smtp812.mail.sc5.yahoo.com (smtp812.mail.sc5.yahoo.com [66.163.170.82]) by sw.ericsson.se (8.12.10/8.12.10/unixcenter-xnetx-1.0) with SMTP id hBMIt2It008299 for ; Mon, 22 Dec 2003 19:55:02 +0100 (MET) Received: from unknown (HELO adithya) (mohanp@sbcglobal.net@192.103.16.104 with login) by smtp812.mail.sc5.yahoo.com with SMTP; 22 Dec 2003 18:55:01 -0000 Message-ID: <001701c3c8bd$1cba6e60$681067c0@adithya> From: "Mohan Parthasarathy" To: , References: <20031222105643.FUYQ18555.fep06-app.kolumbus.fi@mta.imail.kolumbus.fi> Subject: Re: issue 33 - SEND and L2 security Date: Mon, 22 Dec 2003 10:55:04 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Sender: owner-ietf-send@standards.ericsson.net Precedence: bulk Content-Transfer-Encoding: 7bit > My intention is to close this issue. I think we agree that there > are issues if there is no L2 security and that there are issues > if there is no L2 - L3 binding. In terms of our document, I think > we agreed about the following: > > o Say that there is need for L2 security, as the current first > paragraph in Section 11.1 does. > > o Add text to state that a binding between L2 and L3 would be > desirable but that this document does not cover it. > > o Remove detailed discussion of IEEE 802 security specifications; > this is not in our scope. > > Note that this changes the parts that we already agreed in issue 24. > But I think the new text is better, as it still describes the issues > but does not go into the details of specific link layers. > > I also downgraded the "MUST use link layer security" to a SHOULD. I > think it would make sense to use SEND even if you did not have a > secure link layer -- such as on an IETF wireless network -- and doing > so should not violate the standards. > > Here's the new Section 11.1 text relating to this issue: > > SEND does not compensate for an insecure link layer. For instance, > there is no assurance that payload packets actually come from the > same peer that the Neighbor Discovery protocol was run against. > > SEND does not provide confidentiality for Neighbor Discovery > communications. > > There may be no cryptographic binding in SEND between the link layer > frame address and the IPv6 address. On an insecure link layer that > allows nodes to spoof the link layer address of other nodes, an > attacker could disrupt IP service by sending out a Neighbor > Advertisement having the source address on the link layer frame of a > victim, a valid CGA address and a valid signature corresponding to > itself, and a Target Link-layer Address extension corresponding to > the victim. The attacker could then proceed to cause a traffic > stream to bombard the victim in a DoS attack. To protect against > such attacks, link layer security SHOULD be used. > The last sentence is confusing. The bulk of the text above explains the attack. At last it says, the link layer security provides protection which is not completely correct. The following paragraph below explains what is needed to prevent the attack. So, i would suggest removing the last sentence above. Instead you can say something like "This attack cannot be prevented just by securing the link layer alone". Then the following paragraph seems like a good fit.. > Even on a secure link layer, SEND does not require that the addresses > on the link layer and Neighbor Advertisements correspond to each > other. However, it is RECOMMENDED that such checks be performed > where this is possible on the given link layer technology. > -mohan > The modifications are also visible in > http://www.piuha.net/~jarkko/publications/send/issues/issue33diff.html > > Comments appreciated. > > > -------------------------------------------------------------------- > To unsubscribe from this list, send email with "UNSUBSCRIBE" in the > body to . > Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html > -------------------------------------------------------------------- -------------------------------------------------------------------- To unsubscribe from this list, send email with "UNSUBSCRIBE" in the body to . Archive: http://standards.ericsson.net/lists/ietf-send/maillist.html --------------------------------------------------------------------