Hello, I am looking for reviewers to review the http://tools.ietf.org/html/draft-rafiee-intarea-cga-tsig draft. It deals with the use of CGA (RFC 3972) or SSAS for authentication purposes during various types of scenarios. This is truly possible when the authentication is based on the source IP address. Everything in this authentication is done "on the fly" and only once is there a need to configure the Servers. Advantages: - If the shared secret is compromised (which is true in TSIG, you won't need to repeat the process of re-sharing the shared secret among the many hosts that used the compromised shared secret) - If for any reason the IP address of any nodes involved in authentication is changed, then the other nodes will still be able to verify that it is the same node - It is both easier and preferable to use this approach to prove the address ownership while at the same time performing source IP address authentication. - The nodes don't need to go through the chain of trusts because the magic of CGA or SSAS works well. This means that if the other nodes are aware of one node's real IP address then that is all the information the other nodes need to identify this node. No matter how your node changes its IP address. This draft explains how to easily handle this situation, automatically, without the need for human intervention. I am sure you will find it interesting.
The different scenarios that are considered are: - Authentication during FQDN - Authentication during zone transfer - Authentication of the resolvers in stub resolvers - Authentication of root DNS servers to recursive DNS servers We also considered the scenario where the server doesn't support CGA or SeND. The interesting thing about this draft is that you can use a CGA script generator that I will provide and make available to everybody. Then just manually set the IP address for the node that wants to use CGA-TSIG. The CGA-TSIG implementation will thereafter processes the handling for all the CGA parameters. This scenario is good for the future of the Internet where IPv6 is used. I guess many DNS servers now support IPv6 as well as IPv4. I am looking forward to receiving your comments. Thank you, Hosnieh P.S. So if you'll review mine i'll review yours.. Deal??? :-) _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
