Tony, Thanks so much for your comments. They are helpful. See my detailed reply in the lines.
Cheers, Sheng > -----Original Message----- > From: Tony Cheneau [mailto:[email protected]] > Sent: Thursday, September 24, 2009 10:57 PM > To: [email protected]; Sean Shen > Cc: [email protected]; [email protected] > Subject: Comments on draft-jiang-dhc-secure-dhcpv6-02 > > Hello, > > I read draft-jiang-dhc-secure-dhcpv6-02 and I have the > following comments: > - you should remain consistent and always use the term CGA Parameters > (sometimes, the 's' is lacking). Ok, this will be fixed in the next version. > - section 6.3, "The CGA of a client will not lose during > relaying." needs to > be corrected (does not make much sense). I guess we need to add some context here. This is a comparison sentence with "The CGA of a server will lose during relaying". > - in the same section, maybe due to a lack of knowledge in the DHCPv6 > protocol, I fail to understand how the Relay Agent will > prove the DHCP > Client's address ownership to the DHCP server and how the > Relay Agent will > prove the DHCP server authorization to the DHCP Client. > Can you enlighten me > on this point ? Relay agent does not involve in the authentication between DHCP server and client. The authentication is end-to-end. It is transparent to relay agent. We just make sure that relaying process does not throw away the information of authentication. > - the document is rather fuzzy on how you deploy certificates > on DHCP routers > to perform the ADD. If you plan to reuse the certificate > deployed on SEND > routers, it would be wise to provide an "extended key > usage" value for the > authorization to act as a DHCP server (there is already > value for proxying > functionalities and such defined draft-ietf-csi-send-cert). > > - also, the text is not clear on the fact that DHCP Server MUST use > certificate to prove its authority. I think the text > should be clarified on that point. We left the certificate deployment out of the scope on purpose. This document built up on the assumption that all the network hosts have already deployed the certificates they need. The discussion of certificate deployment is a complicated topic. There are many documents on that. I guess, we can add some references in the future version. Best regards, Sheng > Best regards, > Tony Cheneau _______________________________________________ CGA-EXT mailing list [email protected] https://www.ietf.org/mailman/listinfo/cga-ext
