[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Router Security and FastRA (Re: [DNA] FastRA draft)

To: James Kempf <kempf@docomolabs-usa.com>
Subject: Re: Router Security and FastRA (Re: [DNA] FastRA draft)
From: Greg Daley <greg.daley@eng.monash.edu.au>
Date: Wed, 21 Jul 2004 10:36:50 +1000
Cc: Soohong Daniel Park <soohong.park@samsung.com>, Brett Pentland <brett.pentland@eng.monash.edu.au>, dna@eng.monash.edu.au, Mohamed Khalil <mkhalil@nortelnetworks.com>
Organization: Monash University
References: <EDELKJDGPGNIPOAOHMNPCEAJFPAA.soohong.park@samsung.com><40FC89BC.3080803@eng.monash.edu.au><007f01c46e6d$4a881760$536115ac@dcml.docomolabsusa.com>
Reply-to: greg.daley@eng.monash.edu.au
Sender: owner-dna@ecselists.eng.monash.edu.au
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020529

Hi James,

James Kempf wrote:
> During the design team discussions in SEND, we discussed having the host
> preprovisioned with the new router's certificate so that there was no need
> for ADD when the host came up on the new router.
> 
> In the latest draft of CARD (draft-ietf-seamoby-card-protocol-07.txt), there
> is support for two additional CARD Request/Reply options: the Trusted Anchor
> option and the Router Certificate option. These allow a host to request the
> certification path for a handover candidate router from the existing access
> router, so the host doesn't have to do ADD on the new access router.

I think this ties in with Eunsoo's description of CARD and DNA
interactions.

Of course if we trusted the old router to provide accurate information
about candidate routers on adjacent links (not predicting which link
we'll arrive on, but that the routers in the CARD list are real
routers), we wouldn't necessarily need to undertake the certificate
chain computation immediately in every case.

That may be a bit dangerous to trust by itself but would give
us time to start using the router.  While using the router we
could corroborate the trust chain received from CARD messages
or receive one from the router itself after arrival on the link.

I'm not sure if this is a base DNA issue, a base CARD issue
or an interaction between the two.

> What Greg says about the crypto and other assorted signature processing on
> the RA is correct. It is an additional few milliseconds. The host has some
> additional work to construct the CGA, but that should be minimal as well,
> nothing compared to DAD or DHCP (naturally the host should use optiDAD, if
> available).

Of Course ;-)

Greg

Follow-Ups:
- Re: Router Security and FastRA (Re: [DNA] FastRA draft)
  - From: Jari Arkko <jari.arkko@kolumbus.fi>

References:
- RE: [DNA] FastRA draft
  - From: Soohong Daniel Park <soohong.park@samsung.com>
- Router Security and FastRA (Re: [DNA] FastRA draft)
  - From: Greg Daley <greg.daley@eng.monash.edu.au>

Prev by Date: [DNA] Couple of points on draft-jinchoi-dna-soln-frame-00.txt
Next by Date: Re: Router Security and FastRA (Re: [DNA] FastRA draft)
Prev by thread: RE: Router Security and FastRA (Re: [DNA] FastRA draft)
Next by thread: Re: Router Security and FastRA (Re: [DNA] FastRA draft)
Index(es):
- Date
- Thread