Hi Rogue,
I have no opinion to express yet. However, can you clarify your third
proposal ? You propose to modify RFC 3971 so a CPA message contains
both a Cert AND the corresponding CRL ? This is somehow an optimization of your
first proposal ?
What I though that could be theoretically possible is that when a host request
a certificate, the router could send the certificate and the CRL in the
Certification Path Advertisement Message. However, if you have a host that is
connected for several hours, you will need to go back to fetch the new version
of the CRL from time to time without needing to request the Cert because those
are long living. For this reason, option 3 may not be such a good idea.
Sending an extra certificates every few hours to keep the protocol
"simple" (reusing the same CPS/CPA messages) does not sound too bad for
me. Moreover, you could multicast the message to the All-Node
address, so all the node on the link can know that a certificate is
still valid. What is the opinion of the other people on the list ?
Another advantage of solution 1 and 3 is that the node can verify the
validity of a prefix during the Stateless Address Autoconfiguraton
procedure, before assigning any addresses corresponding to this prefix to
an interface. This, IMHO, is an important feature.
It is true that with option 2 you probably would need global unicast addresses
to access the repositories that are outside of the local network while with
option 1 you could send CRL request messages to the router using link local
addresses. Is this what you meant?
Not exactly what I meant. I meant, you could send CPS/CRS message with the
unspecified source address and receive a CPA/CRA from the router destined
to the All-Nodes Multicast Address. Hence, you do not need to assign any
addresses to our interfaces until you are sure that router's certificate
has not been revoked.
Regards,
Tony
_______________________________________________
CGA-EXT mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/cga-ext
