Hello,
Just a few observations after reviewing this:
1) RFC3972 ("CGA") specifies that the modifier should be 64 bits and the
collision count eight bits, yet I notice in Figure 2 it specifies a 16 bit
modifier and a 1 bit collision count. Can you explain why you chose to
implement this differently?
2) In your implementation of the protocol you call for DAD but it does not
mention (or maybe I just can't find) what do re: collision count if a duplicate
address is detected. Further, in 3.2.1.2 I don't see a step to verify this
number as per CGA. I'm assuming you're to follow the specs from CGA but you may
want to be specific regarding this.
3) In 3.1 step 5 you may want to be clear that bits seven and eight should be
set to zero.
4) In 3.2.1.2, step 2, Check Time Signed, your window seems very short given
typical retransmission timeouts and the like.
5) 3.2.1.2 step 5, Verify the signature, I don't see exact method you want used
in this protocol to accomplish this.
Just an overall note, and this likely has more to do with me that you, I'm a
bit confused as to how this would functionally integrate on a host using a CGA.
Would you actually be running these algorithms again just for the purpose of
sending a DNS update or would you be layering on top of the existing IP stack
and using the existing CGA functionality?
Thanks,
Joshua Shire
Information Systems Manager
Hyduke Energy Services Inc.
ph: 780-955-0401
fax: 780-955-0368
mx: [email protected]
-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of
Rafiee, Hosnieh
Sent: Tuesday, October 23, 2012 9:07 AM
To: [email protected]
Cc: [email protected]
Subject: [Int-area] Last Call before IETF meeting:
draft-rafiee-intarea-cga-tsig-00.txt
Hello,
This is our "last call" request for comments concerning our draft, RFC
"CGA-TSIG". If you feel so inclined, please feel free to comment on it. Any and
all comments are greatly appreciated.
Thank you,
----------------------------------
A new version of I-D, draft-rafiee-intarea-cga-tsig-00.txt
has been successfully submitted by Hosnieh Rafiee and posted to the IETF
repository.
Filename: draft-rafiee-intarea-cga-tsig
Revision: 00
Title: Transaction SIGnature (TSIG) using CGA Algorithm in IPv6
Creation date: 2012-10-15
WG ID: Individual Submission
Number of pages: 13
URL:
http://www.ietf.org/internet-drafts/draft-rafiee-intarea-cga-tsig-00.txt
Status: http://datatracker.ietf.org/doc/draft-rafiee-intarea-cga-tsig
Htmlized: http://tools.ietf.org/html/draft-rafiee-intarea-cga-tsig-00
Abstract:
The first step of Transaction SIGnature (TSIG) (RFC 2845) is to
generate a shared secret and exchange it manually between a DNS
server and a host. This document, CGA-TSIG, proposes a possible way
to automate the now manual process for the authentication of a node
with a DNS server during the DNS Update process by using the same
parameters as are used in generating a secure address in IPv6
networks, i.e., Cryptographically Generated Addresses (CGA) (RFC
3972). CGA-TSIG facilitates this authentication process and reduces
the time needed for DNS Updates. The current signature generation
process and verification mechanism in TSIG are thus replaced with
CGA. This algorithm is added, as an extension, to TSIG to eliminate
the human intervention needed for generation and exchange of keys
between a DNS server and a host when SEcure Neighbor Discovery (SEND)
(RFC 3971) is used.
The IETF Secretariat
_______________________________________________
Int-area mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/int-area
_______________________________________________
Int-area mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/int-area
