Re: [Dime] Relationship between draft-sarikaya-dimeradext-prefix-auth-ps-00.txt and draft-sarikaya-dime-prefix-delegation-ps-01.txt
Hannes Tschofenig <Hannes.Tschofenig@gmx.net> Wed, 23 July 2008 19:30 UTC
Return-Path: <dime-bounces@ietf.org>
X-Original-To: dime-archive@megatron.ietf.org
Delivered-To: ietfarch-dime-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3EF393A68E7; Wed, 23 Jul 2008 12:30:00 -0700 (PDT)
X-Original-To: dime@core3.amsl.com
Delivered-To: dime@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BA08C3A685E for <dime@core3.amsl.com>; Wed, 23 Jul 2008 12:29:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.513
X-Spam-Level:
X-Spam-Status: No, score=-2.513 tagged_above=-999 required=5 tests=[AWL=0.086, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w9vnUV13CboR for <dime@core3.amsl.com>; Wed, 23 Jul 2008 12:29:57 -0700 (PDT)
Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by core3.amsl.com (Postfix) with SMTP id DF1483A6AF6 for <dime@ietf.org>; Wed, 23 Jul 2008 12:29:56 -0700 (PDT)
Received: (qmail invoked by alias); 23 Jul 2008 19:30:39 -0000
Received: from a91-154-105-144.elisa-laajakaista.fi (EHLO [192.168.255.3]) [91.154.105.144] by mail.gmx.net (mp003) with SMTP; 23 Jul 2008 21:30:39 +0200
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX1/FyGZEikfF0LaOEMAhevAOiKvd9A6fYWDDEooVs0 X8ysgoKRnAM812
Message-ID: <488786DE.6010400@gmx.net>
Date: Wed, 23 Jul 2008 22:30:38 +0300
From: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
User-Agent: Thunderbird 2.0.0.14 (Windows/20080421)
MIME-Version: 1.0
To: Frank Xia <xiayangsong@huawei.com>
References: <488726EC.6030207@gmx.net> <01f401c8ece4$da93b130$5c0c7c0a@china.huawei.com>
In-Reply-To: <01f401c8ece4$da93b130$5c0c7c0a@china.huawei.com>
X-Y-GMX-Trusted: 0
X-FuHaFi: 0.47
Cc: dime@ietf.org
Subject: Re: [Dime] Relationship between draft-sarikaya-dimeradext-prefix-auth-ps-00.txt and draft-sarikaya-dime-prefix-delegation-ps-01.txt
X-BeenThere: dime@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/dime>
List-Post: <mailto:dime@ietf.org>
List-Help: <mailto:dime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: dime-bounces@ietf.org
Errors-To: dime-bounces@ietf.org
Hi Frank, thanks for the quick feedback. I have a few more comments inline Frank Xia wrote: > Hi Hannes > > I try to jump ahead of Behcet to answer > some of your questions :-) > > Please check inline comments. > > BR > Frank > > > ----- Original Message ----- From: "Hannes Tschofenig" > <Hannes.Tschofenig@gmx.net> > To: <dime@ietf.org> > Sent: Wednesday, July 23, 2008 7:41 AM > Subject: [Dime] Relationship between > draft-sarikaya-dimeradext-prefix-auth-ps-00.txt and > draft-sarikaya-dime-prefix-delegation-ps-01.txt > > >> I have sent my rechartering questions around regarding these two >> documents. I took a brief look at them and I wonder what the >> relationship between the two documents is. Why are there 2 documents >> on almost the same subject? >> > Frank=>They have almost the same main idea. > You can only refer to the draft > http://www.ietf.org/internet-drafts/draft-sarikaya-dimeradext-prefix-auth-ps-00.txt. > > Ok. We can essentially forget the other document. Right? >> When I browse through >> http://www.ietf.org/internet-drafts/draft-sarikaya-dimeradext-prefix-auth-ps-00.txt >> then I sometimes get the impression that you would like to later >> standardize a Diameter application. I wasn't sure why additional AVPs >> aren't sufficient, in case existing AVPs cannot be re-used? > Frank=>Prefix delegation is an authorization which may be > decoupled from an authentication. RFC4005/4072 only deal > with coupled authentication& authorization scenario. > It is true that the request for prefix authorization is not run independently from the message exchanges used for authentication. >> >> Let me also comment on a few selected items: >> >> >> AAA-based prefix authorization (PA) application MUST run between a >> NAS, located on AR, LMA, MR, etc. and an AAA server. >> >> [hannes] This requirement does not say a lot. The AAA protocol is >> always run between a client and a server. >> >> >> >> AAA-based PA application MUST support the AAA client to request >> prefixes from an AAA server. AAA-based PA application MUST support >> the client to give back the prefixes to the AAA server. >> >> [hannes] With the last sentence you mean that you need to have a way >> to indicate that the AAA session is terminated? > Frank=>In IPv6 renumbering scenario, it is necessary > >> >> If Secure Neighbor Discovery (SEND) [RFC3971] is used by the devices >> on the network, the certificate or the information needed to obtain a >> certificate SHOULD also be sent by the AAA server to NAS. >> >> [hannes] What information do you exactly want to carry towards the >> AAA client? > Frank=>IPv6 address prefix for NAS is authorized to route > I mean, you want to provide * prefix * lifetime * certificate from the AAA server to the AAA client. What else? >> >> In point-to-point link operation, the NAS MUST identify the interface >> of MN in its request. The NAS MAY provide a prefix hint, e.g. of >> length /48 to which the AAA server MUST reply with one or more >> prefixes, e.g. of length /64. >> >> [hannes] how would such an interface identifier look like? > Frank=>Tentatively, it can be the interface identifier part of host's > link local > address, NAI (RFC4282), or MAC address. > I would like to better understand what the AAA server should be doing based on this hint. Is the "hint" used to identify the end user and it's host? >> >> In point-to-point operation, the AAA server MAY assign the prefix(es) >> and related parameters such as the lifetime and the certificates to >> MN from MN's profile. >> >> [hannes] I am not sure what this means. You mean that the AAA server >> should keep state to make sure that it does not forget what it has >> provided to the MN? > Frank=>Probably, the AAA server for prefix delegation is different from > the AAA server for authentication. So it is necessary to record the > state. > OK. I don't think that you need to say that since this is already done today. >> For some reason the problem is not well described. In Section 3 of >> draft-sarikaya-dimeradext-prefix-auth-ps-00.txt you refer to RFC 4818 >> but I do not quite understand what you would like to see happening >> instead. >> >> AAA-based prefix authorization application SHOULD support prefix >> release procedures. >> >> [hannes] isn't this the same as mentioned in the previous requirement >> "AAA-based PA application MUST support the client to give back the >> prefixes to the AAA server. " > Frank=>It is the same. > >> >> The NAS is responsible for renewing the prefixes when the lifetime >> expires. The NAS SHOULD be able to extend the lifetime of the >> prefixes using messages designed for this purpose. >> >> [hannes] Why wouldn't we tie the lifetime of the prefix to the >> lifetime of the AAA session itself? Makes things much easier. The >> same applies a bit to this requirement: "It SHOULD be possible to >> renumber the prefixes authorized by AAA server. The AAA server SHOULD >> initiate prefix renumbering process. " > Frank=>IPv6 renumbering is a feature of IPv6. > If we tie the lifetime of prefix to the lifetime of AAA session, > it is certain that we can't suport IPv6 renumbering. > Even though IPv6 renumbering probably happen probably > infrequently, it is better for us to have such a mechnism to support. > > For IPv6 renumbering, here are some references > RFC 1916/2071/2072/2874/2894/4076/4192. > I know IPv6 renumbering but I was wondering about the following issue. IPv6 renumber should occur less frequently and hence the lifetime is rather long. A AAA session typically isn't very long lived and it is possible to influence the lifetime with various parameters. Now, isn't it possible to re-authenticate and re-authorize the end host in case of network renumbering. Given that you have to re-authenticate quite often for other reasons as well shouldn't cause big problems. I am just trying to figure out how tough the requirements are. >> >> RFC2119 seems to be a bit randomly used in the document. > Frank=>We will polish the draft, > and also welcome more poeple to join us. > Ciao Hannes >> >> Ciao >> Hannes >> >> _______________________________________________ >> DiME mailing list >> DiME@ietf.org >> https://www.ietf.org/mailman/listinfo/dime >> > _______________________________________________ DiME mailing list DiME@ietf.org https://www.ietf.org/mailman/listinfo/dime
- [Dime] Relationship between draft-sarikaya-dimera… Hannes Tschofenig
- Re: [Dime] Relationship between draft-sarikaya-di… Frank Xia
- Re: [Dime] Relationship between draft-sarikaya-di… Hannes Tschofenig
- Re: [Dime] Relationship between draft-sarikaya-di… Frank Xia
- Re: [Dime] Relationship between draft-sarikaya-di… Hannes Tschofenig
- Re: [Dime] Relationship between draft-sarikaya-di… Frank Xia