RE: review of dime-mip6-split; was RE: [Dime] Meeting Minutes
<jouni.korhonen@teliasonera.com> Thu, 30 August 2007 13:17 UTC
Return-path: <dime-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IQjtP-0005m0-CG; Thu, 30 Aug 2007 09:17:04 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IQjtN-0005lh-Er for dime@ietf.org; Thu, 30 Aug 2007 09:17:01 -0400
Received: from sehan001bb.han.telia.se ([131.115.18.152]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1IQjtM-0008Pw-8Q for dime@ietf.org; Thu, 30 Aug 2007 09:17:01 -0400
Received: from SEHAN021MB.tcad.telia.se ([131.115.18.160]) by sehan001bb.han.telia.se with Microsoft SMTPSVC(6.0.3790.1830); Thu, 30 Aug 2007 15:16:57 +0200
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: review of dime-mip6-split; was RE: [Dime] Meeting Minutes
Date: Thu, 30 Aug 2007 15:16:53 +0200
Message-ID: <59D7431DE2527D4CB0F1EFEDA5683ED30222C9D5@SEHAN021MB.tcad.telia.se>
In-Reply-To: <46D692CF.80109@gmx.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: review of dime-mip6-split; was RE: [Dime] Meeting Minutes
Thread-Index: Acfq6y30oJnmatpNTbuMx7oR1vMNoQACchyw
From: jouni.korhonen@teliasonera.com
To: Hannes.Tschofenig@gmx.net
X-OriginalArrivalTime: 30 Aug 2007 13:16:57.0715 (UTC) FILETIME=[0AD20430:01C7EB08]
X-Spam-Score: 1.8 (+)
X-Scan-Signature: 410b68b37343617c6913e76d02180b14
Cc: dime@ietf.org
X-BeenThere: dime@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/dime>
List-Post: <mailto:dime@ietf.org>
List-Help: <mailto:dime-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
Errors-To: dime-bounces@ietf.org
Hi Hannes, See my replies inline. > Sent: 30. elokuuta 2007 12:50 > > Hi Jouni, > > thanks again for your extremely detailed review. > > A few more comments below: > > > Section 6.1.1 > > > > o For what purpose the MIP6-Feature-Vector is in DER & DEA > messages? > > Its use is not explained anywhere? > > > > > Currently, the MIP6-Feature-Vector contains the following values: > > (a) MOBILITY_CAPABILITY > (b) MIP6_INTEGRATED > (c) LOCAL_HOME_AGENT_ASSIGNMENT > > Item (a) is not really required because the AAA server is > able to learn about the Diameter client's mobility capability > from the MIP6 App-ID. > Item (b) is not applicable since this is not the integrated scenario. > This leaves us with item (c). If the AAA client is not in the > same domain as the AAA server then this could be useful. Right? Fine. This question was motivated because MIP6-Feature-Vector is a new AVP to HA-AAA interface but the document does not really describe anything about it. IHMO there must be some text to describe its desired use in that interface. > > o The use of the MIP-Mobile-Node-Address in both DER & DEA messages > > are not explained anywhere. I would expect that at least > why it is > > needed in DEA would be explained. > > > The MIP-Mobile-Node-Address allows the AAA server to provide > the MN's HoA to be conveyed to the AAA client. > Does this make sense to you? Yes. You should add that also to the document ;) > > Section 6.2 > > > > o this section and its subsections need a major rework.. > > > > o The current text only talks about using MN-AAA auth option. > > Is there a particular reason to neglect MN-HA auth option > > for BUs? > > > Ideally, dime-mip6-split should be as close to RFC 4004 with > regard to the usage of the communication between the HA and > the AAA server. > Hence, we should definitely make utilize MIP-MN-AAA-Auth (as > defined in Section 7.6 of RFC 4004) as it is used in the > AA-Mobile-Node-Request > (AMR) message of RFC 4004. > > When you look at Section 6.2.1 of dime-mip6-split then you > will find the MIP-MN-AAA-Auth AVP. The way RFC4285 calculates MN-HA and MN-AAA are different. MN-HA is more or less local with fixed algorithms, except that you might receive the shared-key from the AAA. On the other hand you can let AAA do all MN-AAA calculations.. or divide it between HA and AAA. It should be clarified what AVPs to use and what to put into those when processing MN-HA or MN-AAA received from the MN. Even if we are reusing RFC4004 AVPs we cannot assume that it is directly clear what to do. > Hence, I believe things are in place. > > > o There should be an AVP to distinguish between MN-AAA and > > MN-HA operations towards AAA. > > > > In what sense? What AVPs from RFC 4004 would be needed? I don't think there's one. > > o For what purpose MIP6-Feature-Vector is needed? > > > Do you mean that we should instead use the MIP-Feature-Vector > AVP from RFC 4004? No, I just want a line of text saying for what and how the AAA expects to use the MIP6-Feature-Vector. We have defined few values for integrated scenario and explained their use in that domain. Would be nice to have the same for split scenario aswell. > > o MIP-MN-AAA-Auth AVP cannot really be used.. as it just points > > byte ranges within the BU. We do not seem to pass the BU from > > HA to AAA in the MRM message. > > > This is what RFC 4004 says: > > 7.6. MIP-MN-AAA-Auth AVP > > The MN-AAA-Auth AVP (AVP Code 322) is of type Grouped and contains > some ancillary data to simplify processing of the > authentication data > in the Mobile IPv4 Registration Request [MOBILEIP, MIPCHAL] by the > target AAA server. Its value has the following ABNF grammar: > > MIP-MN-AAA-Auth ::= < AVP Header: 322 > > { MIP-MN-AAA-SPI } > { MIP-Auth-Input-Data-Length } > { MIP-Authenticator-Length } > { MIP-Authenticator-Offset } > * [ AVP ] > > > I agree with you that we cannot right away use it. > > I will investigate what other SDOs did, such as 3GPP2 or > Wimax, with respect to this issue. I will come back to you on > this one. RFC4004 passes the whole BU message in the AMR to AAA. 3GPP2 passes only those parts of the message that are needed to for MN-AAA authentication. 3GPP has no clue ;) And WiMAX does its own thing. All those are deployment dependant. It might be really hard to come up with a proper HA-AAA interface for RFC4285 that is actually usable. > > o for MN-AAA computation the MRM is missing an AVP to carry a CoA > > to AAA > > > Is this missing in RFC 4004 as well or is this specific to MIPv6 > bootstrapping? RFC4004 passes the whole BU to AAA.. so it finds the CoA etc by parsing the data. I think this is not the right way ;) If AAA does MN-AAA authentication it needs CoA and HoA to verify the authentication data provided by the HA and MN. > > o MIP-MN-to-HA-SPI & MIP-HA-to-MN-SPI are only usable for > > MN-HA auth option that this I-D does not support at the moment > > for Bus (btw.. I am not sure whether RFC4285 actually can have > > different SPIs to different directions) > > > Could you please clarify your comment regarding MIP-MN-to-HA-SPI & > MIP-HA-to-MN-SPI? I am not sure I understood the problem. Well.. for MN-AAA authentication you would use MIP-MN-AAA-SPI (that is part of MIP-MN-AAA-Auth grouped AVP. So if you authentication MN using MN-AAA you don't use MIP-MN-to-HA-SPI etc, right? And the current text in the draft does not difference between MN-HA and MN-AAA authentications. They would need slightly different set or way of using AVPs. These should be clarified. > Regarding the SPIs: I believe we should re-use RFC 4004 as much as > possible to avoid additional implementation complexity on the > AAA server > side. > In RFC 4004 two different SPIs are used. Yes.. my question in parenthesis was something more general related to RFC4285. > > o We need a generic SPI AVP.. also for MN-AAA authentication > > > Why? Sorry, missed the MIP-MN-AAA-SPI in the MIP-MN-AAA-Auth grouped AVP. That can be used for MN-AAA. > > o for MN-HA authentication we probably need an AVP to return > > the shared key from AAA to HA (well.. the used MIP-HA-to-MN-MSA > > AVP could do but its use should be specified as it is a > > grouped AVP and not all sub-AVPs are needed) > > > I indeed thought that we could use the MIP-HA-to-MN-MSA AVP as is > (without modifications). Within the MIP-HA-to-MN-MSA AVP we don't seem to need MIP-Algorithm-Type as RFC4285 has a fixed one. Hmm.. maybe we could state that for the MN-HA authentication the algorithm is always set to HMAC-SHA-1 (2) within RFC4285 scope. > > o MN-AAA authentication probably needs an AVP to carry the > > timestamp from HA to AAA > > > Why? RFC 4004 only defines one timestamp for accounting (see > Event-Timestamp AVP). Some deployments might want to use timestamp as one parameter that is used by the AAA to derive session keys. > > o MN-AAA authentication probably needs an AVP to carry the > > authentication data from HA to AAA > > > Which authentication data? >From the Message Auth option.. if AAA does the MN-AAA authentication it probably wants to have the authentication data. > > o We probably need an AVP to carry the mobility data or a > > MAC of the mobility data from HA to AAA > > > I guess this refers to the previously mentioned > MIP-MN-AAA-Auth AVP. Right? Not really. MIP-MN-AAA-Auth AVP does not provide way to transfer e.g. calculated MAC mobility data calculated HA to AAA, if HA wished to do that calculation. > > o Use of MIP-Session-Key? I assume it is used to MN-HA calculation > > in a BA as the shared secret. > > > The MIP-Session-Key AVP is contained in a couple of grouped > AVPs. It's > semantic depends on the grouped AVP it is carried in. Probably those semantics should be explained. > > o Giving explanations of AVP usage and even RFC4285 compliant > > examples of auth option processing would be most beneficial. > > The RFC4285 has always been somewhat foggy ;) > > > RFC 4285 is, in my opinion, a replica of the corresponding MIPv4 > authentication procedure (regarding the communication from > the HA to the > AAA server). It is close but not replica. > > o A reference to draft-ietf-mip6-whyauthdataoption would be usefull > > > > > I don't think we need that since this is mostly a job of RFC > 4285/RFC4285bis. Ok. Cheers, Jouni > > I think it would be beneficial to check what e.g. 3GPP2 did > > for their MIP6 HA-AAA interface. After all, they use RFC4285. > > > > > I will do that. > > Ciao > Hannes > > > Cheers, > > Jouni > > > > > > > >> -----Original Message----- > >> From: Hannes Tschofenig [mailto:Hannes.Tschofenig@gmx.net] > >> Sent: Thursday, August 16, 2007 12:59 AM > >> To: dime@ietf.org > >> Subject: [Dime] Meeting Minutes > >> > >> > >> Please check the meeting minutes: > >> http://www3.ietf.org/proceedings/07jul/minutes/dime.txt > >> > >> > >> > >> _______________________________________________ > >> DiME mailing list > >> DiME@ietf.org > >> https://www1.ietf.org/mailman/listinfo/dime > >> > >> > > _______________________________________________ DiME mailing list DiME@ietf.org https://www1.ietf.org/mailman/listinfo/dime
- [Dime] Meeting Minutes Hannes Tschofenig
- [Dime] Meeting Minutes Hannes Tschofenig
- [Dime] Meeting Minutes Hannes Tschofenig
- Re: review of dime-mip6-split; was RE: [Dime] Mee… Hannes Tschofenig
- RE: review of dime-mip6-split; was RE: [Dime] Mee… jouni.korhonen
- Re: review of dime-mip6-split; was RE: [Dime] Mee… Hannes Tschofenig
- review of dime-mip6-split; was RE: [Dime] Meeting… jouni.korhonen
- Re: review of dime-mip6-split; was RE: [Dime] Mee… Hannes Tschofenig
- RE: review of dime-mip6-split; was RE: [Dime] Mee… jouni.korhonen
- [Dime] Meeting Minutes Hannes Tschofenig