Hi,
I think that there are different ways that DHCPs and CGAs could
interact and i guess that the first thing that is needed is to identify
which of those are valuable and workable.
I can see at least the following modes of interaction:
- the end node generate the CGA and registers it to the dhcp server.
(as Fred suggests)
- the end node generates the key pair, submit the public key to the
DHCP server and the DHCP server generates the CGA and informs the end
node about the CGA and the CGA parameter data strucutre. This could be
useful, for instance if the dhcp server wants to include additional cga
extensions in the CGA parameter data strucutre. for example, the dhcp
server could include another public key (on the case of multikey cgas)
or could include a HBA extension (so that the server makes sure that
all the prefixes are included in the CGA/HBA generation)
- the server generates the key pair and then the CGA Parameter data
strucutre. It then conveys the key pair, the CGA and the CGA parameter
data strucutre to the node. this could provide key escrow, or key
generation for devices that are not powerful enough to generate the key
pair. This could be especially true for high values of sec. Of course
this option presents security concerns that need to be properly
addresses.
- as i understand Alex suggestion, it could also be envisioned to
secure the dhcp exchange using CGAs... not sure i understand in which
scenario would this be useful...
Regards, marcelo
El 22/11/2006, a las 9:23, Jean-Michel Combes escribió:
Hi,
Sorry but I need a clarification :)
Marcelo's item about DHCP is about how may DHCP provide a CGA address
to a node or how does DHCP check that a node may use a CGA address?
Thanks.
Best regards.
JMC.
2006/11/21, Alexandru Petrescu <[EMAIL PROTECTED]>:
Templin, Fred L wrote:
>> - CGAs and DHCP. The goal here would be to analyze possible
mechanisms
>
>> to allow to assign CGAs using DHCP and to produce a recommendation
>> about how this can be done. The actual DHCP extensions are to be
>> defined in the DHC wg.
>
> Why not just have:
>
> 1) Client configures an address using CGA and includes it in
> an IA_NA; IA_TA option in its initial solicitation.
> 2) Server determines whether the client's proposed (CGA-based)
> address is unique and returns an appropriate status code.
> 3) Client assigns the address to an interface, or proposes
> a new CGA to the server if earlier attempts collided.
Sounds good at delivering hash-based addresses to terminal. It may
however have security risks, like a rogue Server.
> I don't think there are any DHCP extensions required for that?
There could be a discussion on securing initial DHCPv6 exchanges with
hash-based addresses instead of shared IPsec keys, too.
Alex
>
> Fred
> [EMAIL PROTECTED]
>
> _______________________________________________
> CGA-EXT mailing list
> [EMAIL PROTECTED]
> https://www1.ietf.org/mailman/listinfo/cga-ext
>
_______________________________________________
CGA-EXT mailing list
[EMAIL PROTECTED]
https://www1.ietf.org/mailman/listinfo/cga-ext
_______________________________________________
CGA-EXT mailing list
[EMAIL PROTECTED]
https://www1.ietf.org/mailman/listinfo/cga-ext
_______________________________________________
Int-area mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/int-area
