On Wednesday 18 June 2008, Jean-Michel Combes wrote: > Hi Suresh, Hello Jean-Michel,
> Sorry but some points are unclear for me. Let's try to clear them then. > At first, what are assumptions you have regarding the MN? > From my point of view, the MN is able to use SEND: in using either > CGA or a cert linked to its address. Is it the same assumption for > you because I am not sure this is the case? :) First let's talk about nodes rather than MN since I don't see what's specific about mobility in this discussion. With the current SEND a node has no alternative to CGA to prove address ownership. I evocated a possible use of certificates for that purpose but that is unspecified. At last IETF, Eric Levy-Abegnoli also presented modifications to the SEND specification that would allow use of certificates. This use of certified addresses is orthogonal the the Secure Proxy ND discussion, although the solution is the same, i.e. using a certificate to authorize issuing ND signalling for one/some addresses. > Second point, if the MN have a CGA, how does the ND Proxy get the > cert which will allow it to sign the NDP signaling instead of the MN? Like a router does. The certificate of the ND proxy doesn't need to contain the address the specific address of a MN, it can simply contain a prefix advertized on the links, thus authorizing the ND proxy to issue ND signalling for all addresses under that prefix. The certificate can also contain no prefix at all, in which case the ND proxy can issue ND signalling for any address. > Last point, if the MN have a cert linked to its address, how does > this cert is provided to the MN? That's again orthogonal to secure ND proxy, but let me answer once more: in a similar fashion that a router does, e.g. the administrator install the certificate on the node, like it does on the router. > Thanks for your help. You're welcome. --julien > 2008/6/18, Suresh Krishnan <[EMAIL PROTECTED]>: > > Hi Jean-Michel, > > Please see comments inline > > > > Jean-Michel Combes wrote: > > > Hi Julien, > > > > > > 2008/6/12, Julien Laganier <[EMAIL PROTECTED]>: > > > > Hello Jean-Michel, > > > > > > > > On Saturday 07 June 2008, Jean-Michel Combes wrote: > > > > > Hi, > > > > > > > > > > After a quick review, I have one comment and one question: > > > > > - IMHO, your solution should work too with anycast addresses > > > > > case > > > > > > > > It seems so. It also seems it would work to secure NS/NA > > > > exchange based on certificates rather than CGA. > > > > > > Not sure that certs defined in krishnan-cgaext-send-cert-eku are > > > well adapted for such a use: IMHO, prefix ownership is not the > > > same as address ownership. > > > > Why not :-)? If the IP address in the certificate is a /128 and > > the EKU value is "owner" (or some variant of this), these > > certificates can be used for address ownership. > > > > > > To achieve that it would also be > > > > necessary to define another EKU (extended key usage) for > > > > "Address ownership", in addition to "Router" and "Proxy". > > > > > > But what is in the cert when you want to use it to proxy NS/NA? > > > An address or a prefix? > > > > The /128 address of the node with eku value of "owner" > > > > > > > - How will a ND-Proxy get the certificate authorizing it to > > > > > act as an ND-Proxy? > > > > > > > > In the same fashion that a Router gets the certificate > > > > authorizing it to act as a router. > > > > > > May I have details in the case of the MIPv6 scenario? Specially, > > > who does provide the cert? > > > > In very basic terms, the certificate is provided by anyone the MN > > that the MN trusts. e.g. this could be the mobility service > > provider. > > > > Cheers > > Suresh > > _______________________________________________ > CGA-EXT mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/cga-ext _______________________________________________ CGA-EXT mailing list [email protected] https://www.ietf.org/mailman/listinfo/cga-ext
