On Wednesday 18 June 2008, Jean-Michel Combes wrote: > Hi Julien, Hi Jean-Michel,
> 2008/6/12, Julien Laganier <[EMAIL PROTECTED]>: > > Hello Jean-Michel, > > > > On Saturday 07 June 2008, Jean-Michel Combes wrote: > > > Hi, > > > > > > After a quick review, I have one comment and one question: > > > - IMHO, your solution should work too with anycast addresses > > > case > > > > It seems so. It also seems it would work to secure NS/NA exchange > > based on certificates rather than CGA. > > Not sure that certs defined in krishnan-cgaext-send-cert-eku are well > adapted for such a use: IMHO, prefix ownership is not the same as > address ownership. An address is a "degenerated" prefix, i.e. a /128 prefix. From that point of view address ownership is just a special case of prefix ownership. But what you seems to get at is that authorization to advertize a prefix is different from ownership of that prefix, and there I agree. I don't think we'd have a problem since what I proposed is to use different EKU to clearly distinguish between "Address ownership", i.e. in the context of SEND the authorization to issue ND signalling for a given IP address, vs. "router", i.e. the authorization to issue ND signalling advertizing a given IP prefix, and "proxy", i.e. the ability to issue ND signalling for any IP address within a given IP prefix. > > To achieve that it would also be > > necessary to define another EKU (extended key usage) for "Address > > ownership", in addition to "Router" and "Proxy". > > But what is in the cert when you want to use it to proxy NS/NA? An > address or a prefix? There seems to be a confusion here. The usage of certs for address ownesrhip and security of NS/NA exchanges I proposed in the previous message is orthogonal to support of proxy ND, these are two different things. The draft proposes to use certificates to support proxy ND, in which case the cert contains either the on-link prefix, or nothing. For the address ownership usage I proposed, the cert would contain the address of the node asserting ownership without CGA. > > > - How will a ND-Proxy get the certificate authorizing it to act > > > as an ND-Proxy? > > > > In the same fashion that a Router gets the certificate authorizing > > it to act as a router. > > May I have details in the case of the MIPv6 scenario? Specially, who > does provide the cert? In my view there's no difference between provisioning of authorizatoin certificates on router vs. home agents. Not sure what kind of detail you're concerned about. It would help if you would sketch up the detailed provisionning of certificates on a router and point out to the steps that are different for a HA in your opinion. Cheers, --julien _______________________________________________ CGA-EXT mailing list [email protected] https://www.ietf.org/mailman/listinfo/cga-ext
