Thanks to Julian, Suresh and others for all their comments on my presentation. Following are the answers to the questions raised and, hopefully, this will clarify the main purpose of this draft: - A comment was made that DHCP can update the clients' DNS records on behalf of the clients so they see any no reason for this draft as DHCPv6 can update the DNS records for the clients on behalf of them. Here we are talking about another IPv6 addressing mechanism, i.e., Neighbor Discovery Protocol (RFC 4861) and not DHCPv6. NDP is a new addressing mechanism included in the IPv6 suite that functions like ARP, discovering other neighbor nodes, ICMP, and address configuration automatically. By default, all operating systems support this functionality and, for windows, it is the default method of addressing. - Why do some administrators prefer to use NDP instead of DHCPv6? With NDP no DHCP server configuration is required. - Usage of NDP protocol All kinds of networks like campus, companies whether they are public and private - How can a client or a server in IPv6 networks set its IP address using NDP When you connect your computer to an IPv6 network, your computer generates its IP address automatically and then processes duplicate address detection by using 5 types of ICMPv6 messages. Your computer also sets its global address by using the router advertisement. The administrator just needs to enable NDP on his router and configure it to advertise his available prefixes. It is a great way to manage the network. - The problem with NDP WAS (solved now) Before, it did not support the DNS option and it took the DNS information from the DHCP server, BUT NOW, according to a new extension to NDP, in RFC 6106, the router advertisement contains the DNS information also so there is no need for DHCP server configuration. What is the problem now in this local network - what gap CGA-TSIG fills Briefly: It provides local security in IPv6 networks without the need for extra configuration as it uses the current security parameters and mechanism available on this network, i.e., SEND. When node addresses change over time in IPv6 networks for privacy reasons, CGA-TSIG provides the necessary security in IPv6 networks for the DNS authentication process. This solution works very well in local networks, but also is applicable in global networks. - Local security is an important issue: In IPv6 networks that use NDP, there is no central server available to perform the updates to DNS records on behalf of the client. As local security is important, as well as global security, CGA-TSIG provides a solution for the automation of this process and allows for client authentication with DNS servers as well as the ability to update their own records. The question that might arise here is, why local security is important?: The answer here is the same as that provided for the use of SEcure Neighbor Discovery in IPv6 networks. Many attacks are internal and not via the Internet. When, because of flaws or viruses or..., a host in a network is infected that gives the attacker control of that host the role of local security is highlighted. In this case the attacker is inside your network and using the legitimate nodes inside your network for their malicious purposes. Therefore, if you just think about global security, you have just partly secured your network! If we also consider the case where the host's generates their IP address and keep it as long as it is connected to the same network. When this legitimate node, for the first time, join to a network, if TSIG or other security mechanisms are used, the administrator needs to generate this shared secret so that it is only shared between this host and the DNS server. Thus CGA-TSIG reduces this task, while at the same time, provides the security necessary for DNS servers and clients. - Privacy is the second or another important issue: In Europe, privacy is a very important issue. An example of that is in Germany that the ISPs are forced to change their range of IP addresses frequently. In this case, for every change, the administrators of the sub-networks, using these ISPs, need to reconfigure their clients and servers to again use the security mechanism for authentication purposes. CGA-TSIG is the solution. It can provide this authentication without the need for more configuration - Global security: the same approach is applicable for authentication purposes among the DNS servers on the Internet if they are under the privacy rules that force them to change their ISP's prefix, as was explained in my first point Finally : DNS serves or clients only need use the cached CGA data and do not need to regenerate CGA! This is an important point because only a few changes need be made to the current implementation of DNS server. I will provide you with the list of more attacks later. Some of the attacks that CGA-TSIG can prevent are found in Security consideration section at the following link: http://tools.ietf.org/html/draft-rafiee-intarea-cga-tsig-00#section-4 I welcome all questions and comments that can help to clear up the purpose of this draft. Thank you all for your help. It is greatly appreciated. Thank you again, Hosnieh
_______________________________________________ Int-area mailing list [email protected] https://www.ietf.org/mailman/listinfo/int-area
