Re: [Dime] Relationship between draft-sarikaya-dimeradext-prefix-auth-ps-00.txt and draft-sarikaya-dime-prefix-delegation-ps-01.txt
Frank Xia <xiayangsong@huawei.com> Wed, 23 July 2008 20:00 UTC
Return-Path: <dime-bounces@ietf.org>
X-Original-To: dime-archive@megatron.ietf.org
Delivered-To: ietfarch-dime-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BC6703A6A50; Wed, 23 Jul 2008 13:00:27 -0700 (PDT)
X-Original-To: dime@core3.amsl.com
Delivered-To: dime@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AE9693A68E7 for <dime@core3.amsl.com>; Wed, 23 Jul 2008 13:00:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.351
X-Spam-Level:
X-Spam-Status: No, score=-2.351 tagged_above=-999 required=5 tests=[AWL=0.248, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 92KsXCPPAYNv for <dime@core3.amsl.com>; Wed, 23 Jul 2008 13:00:25 -0700 (PDT)
Received: from usaga04-in.huawei.com (usaga04-in.huawei.com [206.16.17.180]) by core3.amsl.com (Postfix) with ESMTP id 508573A6A50 for <dime@ietf.org>; Wed, 23 Jul 2008 13:00:25 -0700 (PDT)
Received: from huawei.com (usaga04-in [172.18.9.16]) by usaga04-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0K4H005A269T58@usaga04-in.huawei.com> for dime@ietf.org; Wed, 23 Jul 2008 15:01:06 -0500 (CDT)
Received: from X24512z ([10.124.12.92]) by usaga04-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTPA id <0K4H0079569S4N@usaga04-in.huawei.com> for dime@ietf.org; Wed, 23 Jul 2008 15:01:05 -0500 (CDT)
Date: Wed, 23 Jul 2008 15:01:04 -0500
From: Frank Xia <xiayangsong@huawei.com>
To: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
Message-id: <02a501c8ecfe$d6d28bb0$5c0c7c0a@china.huawei.com>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-Priority: 3
X-MSMail-priority: Normal
References: <488726EC.6030207@gmx.net> <01f401c8ece4$da93b130$5c0c7c0a@china.huawei.com> <488786DE.6010400@gmx.net>
Cc: dime@ietf.org
Subject: Re: [Dime] Relationship between draft-sarikaya-dimeradext-prefix-auth-ps-00.txt and draft-sarikaya-dime-prefix-delegation-ps-01.txt
X-BeenThere: dime@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/dime>
List-Post: <mailto:dime@ietf.org>
List-Help: <mailto:dime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: dime-bounces@ietf.org
Errors-To: dime-bounces@ietf.org
Hi Hannes Please check my reply.. BR Frank ----- Original Message ----- From: "Hannes Tschofenig" <Hannes.Tschofenig@gmx.net> To: "Frank Xia" <xiayangsong@huawei.com> Cc: <dime@ietf.org> Sent: Wednesday, July 23, 2008 2:30 PM Subject: Re: [Dime] Relationship between draft-sarikaya-dimeradext-prefix-auth-ps-00.txt and draft-sarikaya-dime-prefix-delegation-ps-01.txt > Hi Frank, > > thanks for the quick feedback. > > I have a few more comments inline > > Frank Xia wrote: >> Hi Hannes >> >> I try to jump ahead of Behcet to answer >> some of your questions :-) >> >> Please check inline comments. >> >> BR >> Frank >> >> >> ----- Original Message ----- From: "Hannes Tschofenig" >> <Hannes.Tschofenig@gmx.net> >> To: <dime@ietf.org> >> Sent: Wednesday, July 23, 2008 7:41 AM >> Subject: [Dime] Relationship between >> draft-sarikaya-dimeradext-prefix-auth-ps-00.txt and >> draft-sarikaya-dime-prefix-delegation-ps-01.txt >> >> >>> I have sent my rechartering questions around regarding these two >>> documents. I took a brief look at them and I wonder what the >>> relationship between the two documents is. Why are there 2 documents on >>> almost the same subject? >>> >> Frank=>They have almost the same main idea. >> You can only refer to the draft >> http://www.ietf.org/internet-drafts/draft-sarikaya-dimeradext-prefix-auth-ps-00.txt. >> > Ok. We can essentially forget the other document. Right? Frank=>Yes. > > >>> When I browse through >>> http://www.ietf.org/internet-drafts/draft-sarikaya-dimeradext-prefix-auth-ps-00.txt >>> then I sometimes get the impression that you would like to later >>> standardize a Diameter application. I wasn't sure why additional AVPs >>> aren't sufficient, in case existing AVPs cannot be re-used? >> Frank=>Prefix delegation is an authorization which may be >> decoupled from an authentication. RFC4005/4072 only deal >> with coupled authentication& authorization scenario. >> > It is true that the request for prefix authorization is not run > independently from the message exchanges used for authentication. Frank=>A little bit confusing. You meant "independently " or not? > >>> >>> Let me also comment on a few selected items: >>> >>> >>> AAA-based prefix authorization (PA) application MUST run between a NAS, >>> located on AR, LMA, MR, etc. and an AAA server. >>> >>> [hannes] This requirement does not say a lot. The AAA protocol is always >>> run between a client and a server. >>> >>> >>> >>> AAA-based PA application MUST support the AAA client to request prefixes >>> from an AAA server. AAA-based PA application MUST support the client to >>> give back the prefixes to the AAA server. >>> >>> [hannes] With the last sentence you mean that you need to have a way to >>> indicate that the AAA session is terminated? >> Frank=>In IPv6 renumbering scenario, it is necessary >> >>> >>> If Secure Neighbor Discovery (SEND) [RFC3971] is used by the devices on >>> the network, the certificate or the information needed to obtain a >>> certificate SHOULD also be sent by the AAA server to NAS. >>> >>> [hannes] What information do you exactly want to carry towards the AAA >>> client? >> Frank=>IPv6 address prefix for NAS is authorized to route >> > I mean, you want to provide > * prefix > * lifetime > * certificate > from the AAA server to the AAA client. > What else? Frank=> I can only find these now. > >>> >>> In point-to-point link operation, the NAS MUST identify the interface of >>> MN in its request. The NAS MAY provide a prefix hint, e.g. of length /48 >>> to which the AAA server MUST reply with one or more prefixes, e.g. of >>> length /64. >>> >>> [hannes] how would such an interface identifier look like? >> Frank=>Tentatively, it can be the interface identifier part of host's >> link local >> address, NAI (RFC4282), or MAC address. >> > I would like to better understand what the AAA server should be doing > based on this hint. > Is the "hint" used to identify the end user and it's host? Frank=>The hint is only for expressing client's preference. The server may honor this or not based on it's own discretion. > >>> >>> In point-to-point operation, the AAA server MAY assign the prefix(es) >>> and related parameters such as the lifetime and the certificates to MN >>> from MN's profile. >>> >>> [hannes] I am not sure what this means. You mean that the AAA server >>> should keep state to make sure that it does not forget what it has >>> provided to the MN? >> Frank=>Probably, the AAA server for prefix delegation is different from >> the AAA server for authentication. So it is necessary to record the >> state. >> > OK. > > I don't think that you need to say that since this is already done today. > >>> For some reason the problem is not well described. In Section 3 of >>> draft-sarikaya-dimeradext-prefix-auth-ps-00.txt you refer to RFC 4818 >>> but I do not quite understand what you would like to see happening >>> instead. >>> >>> AAA-based prefix authorization application SHOULD support prefix release >>> procedures. >>> >>> [hannes] isn't this the same as mentioned in the previous requirement >>> "AAA-based PA application MUST support the client to give back the >>> prefixes to the AAA server. " >> Frank=>It is the same. >> >>> >>> The NAS is responsible for renewing the prefixes when the lifetime >>> expires. The NAS SHOULD be able to extend the lifetime of the prefixes >>> using messages designed for this purpose. >>> >>> [hannes] Why wouldn't we tie the lifetime of the prefix to the lifetime >>> of the AAA session itself? Makes things much easier. The same applies a >>> bit to this requirement: "It SHOULD be possible to renumber the prefixes >>> authorized by AAA server. The AAA server SHOULD initiate prefix >>> renumbering process. " >> Frank=>IPv6 renumbering is a feature of IPv6. >> If we tie the lifetime of prefix to the lifetime of AAA session, >> it is certain that we can't suport IPv6 renumbering. >> Even though IPv6 renumbering probably happen probably >> infrequently, it is better for us to have such a mechnism to support. >> >> For IPv6 renumbering, here are some references >> RFC 1916/2071/2072/2874/2894/4076/4192. >> > I know IPv6 renumbering but I was wondering about the following issue. > > IPv6 renumber should occur less frequently and hence the lifetime is > rather long. > A AAA session typically isn't very long lived and it is possible to > influence the lifetime with various parameters. Frank=>IMHO, I don't agree with your assumption on AAA session lifetime. In fact, many people including me are always online because many operators don't charge based on time. For example, $30 a month is for no limited access. > > Now, isn't it possible to re-authenticate and re-authorize the end host in > case of network renumbering. Given that you have to re-authenticate quite > often for other reasons as well shouldn't cause big problems. Frank=>IMHO, it is not very graceful to kick off all the users when renumbering. > > I am just trying to figure out how tough the requirements are. Frank=>IMHO, it is very hard to figure out before widely IPv6 deployment. However, it is probably too late after large scale deployment. > >>> >>> RFC2119 seems to be a bit randomly used in the document. >> Frank=>We will polish the draft, >> and also welcome more poeple to join us. >> > > Ciao > Hannes >>> >>> Ciao >>> Hannes >>> >>> _______________________________________________ >>> DiME mailing list >>> DiME@ietf.org >>> https://www.ietf.org/mailman/listinfo/dime >>> >> > > _______________________________________________ DiME mailing list DiME@ietf.org https://www.ietf.org/mailman/listinfo/dime
- [Dime] Relationship between draft-sarikaya-dimera… Hannes Tschofenig
- Re: [Dime] Relationship between draft-sarikaya-di… Frank Xia
- Re: [Dime] Relationship between draft-sarikaya-di… Hannes Tschofenig
- Re: [Dime] Relationship between draft-sarikaya-di… Frank Xia
- Re: [Dime] Relationship between draft-sarikaya-di… Hannes Tschofenig
- Re: [Dime] Relationship between draft-sarikaya-di… Frank Xia