Follow up, The good thing about CGA-TSIG or using CGA or SSAS as the algorithm is that, if you only know the IP address (set it manually for the first time or can receive it from a secure way like you can trust your router). Then no need for any check on the public key since there is binding between this public key and the IP address. Not sure the chairs uploaded the slides. If so you can find the scenarios there as well.
Thanks, Hosnieh > Thanks for your question and review. > > > > [...] For DNS resolver, it > > > receives this IP address securely via the option in the router > > > advertisement message. > > > > So, the security of this approach relies on how securely the client > > can > get the > > resolver's address, e.g., > > - Using SEND for RAs with RFC 6106 > > - (If and when it's defined) Using public-key based DHCPv6 > > authentication > > And, to make this part secure, the client needs to get the router's > certification > > or the server's public key securely beforehand. > > > > Is my understanding correct? > > To some extend correct but not but it is not bound to that option. One > example is where you are in untrusted network like a Café. We assume that > you cannot trust your router or the router does not support SeND and you > really want to ensure that MITM attack will not happen during browsing any > websites (like your bank or etc) then you can always set an IP address of a > trusted resolver yourself. One example can be the use of an IP address of the > google resolver or any other resolver that supports cga-tsig (it can be your > home resolver as well). Your node can verify that using CGA/or SSAS > algorithm. > > I hope I could answer your question. > Smile, > Hosnieh > > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
