Hi, At first sorry for the late reply and thanks for your comment.
2008/12/22 Sean Shen <[email protected]>: > hi, > I had a first review and have the following comments: > > Section 2.2: > Did not under stand what the "this latest" refer to, can you clarify it? If > it refer to security gateway, "This is case with IKEv2 [RFC4306] when a node needs an IP address in the network protected by a security gateway and this latest assigns it dynamically using Configuration Payload during IKEv2 exchanges." Latest = Security Gateway "The security gateway will have to proxy ND messages to be able to intercept messages, sent to the node, to tunnel them to this latest." Lastest = node I will modify the text to clarify it. > the very last sentense does not look right. > > Section 2.3: > I understand the problem statements for NS&NA and RS&RA process. I think it > should at least be mentioned what will happen to periodical RAs when > proxying. I am not sure there is a difference between unsolicited and solicited RAs. Do you think about a specific issue? > > Is some sort of "flag" needed to indicate proxying? Maybe is already > mentioned somewhere but I didn't see, or do we need it? cf. section 4.1.3.3, RFC4389 > > Section 4.1 & Section 4.2 > These two parts make sense to me: when a proxy use its own CGA and key to > protect the message, authorizaiton is needed; if proxy does not have a CGA, > non-CGA authentication is needed for proxying. My question is, when a proxy > uses its own CGA and key, it already leave evidence of what he did. If the > proxy did anything unproper or unauthorized, he can be caught. I agree. > What I mean > is that, authorization mechanism may not be necessary in this case. > Authentication is not equal to authorization in most of the cases. That depends of the trust model :s > > Potential approaches: > I know it's not a good time to disscuss more details about solutions, but I > hope to write down this question for future discussion: when Proxy has it's > own CGA, is it possible to for the proxy to relay the messages (include the > whole original message) between solicitors and MN, sign the relayed messages > with proxy's key? I let authors of potential solutions to reply to you :) Best regards and happy new year. JMC. > > > Best, > > Sean > > > > > _______________________________________________ > CGA-EXT mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/cga-ext > _______________________________________________ CGA-EXT mailing list [email protected] https://www.ietf.org/mailman/listinfo/cga-ext
