IETF Logo Mail Archive

Re: [Dime] Fwd: New Version Notification for draft-korhonen-dime-mip6-feature-bits-01

jouni korhonen <jouni.nospam@gmail.com> Tue, 16 June 2009 10:27 UTC

Return-Path: <jouni.nospam@gmail.com>
X-Original-To: dime@core3.amsl.com
Delivered-To: dime@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B08373A6AA7 for <dime@core3.amsl.com>; Tue, 16 Jun 2009 03:27:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 28atz3kQjW4d for <dime@core3.amsl.com>; Tue, 16 Jun 2009 03:27:52 -0700 (PDT)
Received: from mail-fx0-f211.google.com (mail-fx0-f211.google.com [209.85.220.211]) by core3.amsl.com (Postfix) with ESMTP id 61A943A692D for <dime@ietf.org>; Tue, 16 Jun 2009 03:27:52 -0700 (PDT)
Received: by fxm7 with SMTP id 7so519582fxm.37 for <dime@ietf.org>; Tue, 16 Jun 2009 03:27:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:cc:message-id:from:to :in-reply-to:content-type:content-transfer-encoding:mime-version :subject:date:references:x-mailer; bh=wgEjzl6nglJwCUBvqiGVyOrolF+LVmoJny80Xf8ezsA=; b=nzxZEVKbOUEAHgAemfJTQb14XXFk4NdhaO6xzOj6uNPR4Qt7gc/nrpm5VR+2v2eKG4 yZaeNCDr82L76DJVIjIz/Fsj23F8eOGMXXBfkq/keSlL1Bjiu5mV8pDIAnnnB52gaLSx 0IAiu9O1ZMwFPCZz2WL6yUsnnE6GAe63FvnBU=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=cc:message-id:from:to:in-reply-to:content-type :content-transfer-encoding:mime-version:subject:date:references :x-mailer; b=MNXFOSwHdctSAlBssxXiAUxQ5cb4SR68dc6EFz3RSqMCBsu66597y9+ihIb0gXRlLo 8jRdiKF4OfYKHdE0guaHY18OFFBdZMvsw449vtyg7v8VaABR+PmTSsQcmNPVRAK7Mstc gvabYKPOsRkD2RgPaunyKNVG04Kf7LuJYTexU=
Received: by 10.103.8.3 with SMTP id l3mr4348186mui.116.1245148067754; Tue, 16 Jun 2009 03:27:47 -0700 (PDT)
Received: from ?192.168.100.17? (MYDCCLI.gprs.sl-laajakaista.fi [85.77.238.152]) by mx.google.com with ESMTPS id 23sm568101mum.5.2009.06.16.03.27.46 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 16 Jun 2009 03:27:47 -0700 (PDT)
Message-Id: <5CC059D9-6113-49A3-9748-9F4562A248CC@gmail.com>
From: jouni korhonen <jouni.nospam@gmail.com>
To: Vijay Devarapalli <dvijay@gmail.com>
In-Reply-To: <f1f4dcdc0906151732l54a30412ubcbd6c4b883e74b5@mail.gmail.com>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v935.3)
Date: Tue, 16 Jun 2009 13:27:44 +0300
References: <20090610092653.601A33A6E07@core3.amsl.com> <1CE00542-32BF-4344-884C-CCDC763FA853@gmail.com> <f1f4dcdc0906101449m6e72475s82ac408f9af15505@mail.gmail.com> <2FA145BF-2534-4A2A-A878-C50A6B3C0087@gmail.com> <f1f4dcdc0906151732l54a30412ubcbd6c4b883e74b5@mail.gmail.com>
X-Mailer: Apple Mail (2.935.3)
Cc: dime@ietf.org
Subject: Re: [Dime] Fwd: New Version Notification for draft-korhonen-dime-mip6-feature-bits-01
X-BeenThere: dime@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dime>
List-Post: <mailto:dime@ietf.org>
List-Help: <mailto:dime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jun 2009 10:27:54 -0000

Hi Vijay,

On Jun 16, 2009, at 3:32 AM, Vijay Devarapalli wrote:

> Hi Jouni,
>
> On Wed, Jun 10, 2009 at 11:03 PM, jouni korhonen<jouni.nospam@gmail.com 
> > wrote:
>> Hi Vijay,
>>
>>
>> On Jun 11, 2009, at 12:49 AM, Vijay Devarapalli wrote:
>>
>>> Hi Jouni,
>>>
>>> I have a comment on the "VPN Gateway feature". There is no document
>>> that describes what it means for a Mobile IPv6 home agent to act  
>>> as a
>>> VPN gateway. The IKEv2 exchange between the MN and the HA [RFC 4877
>>> and 5026] already supports mutual authentication, address assignment
>>> and setting up of tunnel mode ESP SAs. Are you referring to this as
>>> VPN mode? But isn't this regular Home agent functionality?
>>
>> The "VPN mode" is when you use HA IKEv2/IPsec functionality purely  
>> for
>> conventional VPN remote access purposes without any mobility.
>
> Again, what does this mean? When you run IKEv2 as described in RFC
> 4877 and 5026, you are creating tunnel mode security associations for
> a *Mobile IPv6 tunnel*. In the "VPN" mode, does the mobile node switch
> of the Mobile IPv6 stack?

VPN mode is plain RFC4306 + 4303 etc. You end up implementing that  
machinery there in any case, so why not allow using a HA as a VPN  
gateway as well. In this case, there is no mobility involved.

>
> Or does the Home Agent behave an IPsec VPN gateway for pure IPsec
> clients, i.e., there is no Mobile IPv6 stack on these clients.

Yes.


>
>
>> That type of
>> deployment is shortly referenced in draft-ietf-dime-mip6-split  
>> Section 4.1.
>> I recall this functionality was originally requested by Gerardo.
>
> It doesn't make sense to me. :) This looks more like co-locating a
> Mbile IPv6 home agent and an IPsec VPN gateway and supporting both
> Mobile IPv6 mobile nodes and plain IPsec clients at the same time.

Yes, it is about co-location. To me it makes sense as much as  
IKEv2+IPsec with MIP6 ;)


>
>
> There has to be more to this scenario than just the short paragraph in
> draft-ietf-dime-mip6-split.

Yes, agree.


>
>
>>> Or is there a separate IPsec VPN that is first setup and then Mobile
>>> IPv6 is run on top of the IPsec tunnels?
>>
>> As shortly described in split document:
>>
>>   In some deployment scenarios, the HA may also act as an IKEv2
>>   Responder for a conventional IPsec VPN access.  The challenge in  
>> this
>>   case is that the IKEv2 responder may not know if IKEv2 is used for
>>   Mobile IPv6 service or for IPsec VPN access service.  A network
>>   operator needs to be aware of this limitation.  One solution  
>> already
>>   supported by IKEv2 is to use different responder identities when
>>   operating as a conventional IPsec VPN gateway or as a HA.  The MN  
>> can
>>   then indicate the preferred responder type using the appropriate  
>> IDr
>>   payload in the IKE_AUTH message.
>>
>> But yeah, now that feature bits are taken into a separate document,  
>> the
>> connection between the above and the new feature bit is rather  
>> weak. Either
>> we need more text and/or reference in the draft-korhonen-dime- 
>> feature-bits
>> or just remove the bit all together. Since the difference between
>> conventional IKEv2 IPsec VPN gateway part and HA's IKEv2 IPsec  
>> functionality
>> is rather small, I would keep the feature bit and enhance the text  
>> instead.
>
> It is not "rather small" in my opinion. I don't understand how
> supporting plain IPsec clients can be a feature on a Mobile IPv6 home
> agent. :)

Well.. feature in a sense that you have both functionalities in the  
same box anyway. Stretching my memory on the requirements, this came  
from the cases where an I-WLAN PDG and a HA were to be bundled together.

Jouni


>
>
> Vijay
>
>>
>> Jouni
>>
>>
>>>
>>>
>>> Vijay
>>>
>>> On Wed, Jun 10, 2009 at 2:55 AM, jouni korhonen<jouni.nospam@gmail.com 
>>> >
>>> wrote:
>>>>
>>>> Hi all,
>>>>
>>>> I have updated the additional feature bits draft. I did remove  
>>>> some stuff
>>>> so
>>>> that the draft now only reserves MIP6-Feature-Vector flag bits and
>>>> nothing
>>>> more. I'll forward the draft soon to RFC editor so if anyone has
>>>> comments,
>>>> please be quick :)
>>>>
>>>> Cheers,
>>>>       Jouni
>>>>
>>>> Begin forwarded message:
>>>>
>>>>> From: IETF I-D Submission Tool <idsubmission@ietf.org>
>>>>> Date: June 10, 2009 12:26:53 PM GMT+03:00
>>>>> To: jouni.nospam@gmail.com
>>>>> Subject: New Version Notification for
>>>>>  draft-korhonen-dime-mip6-feature-bits-01
>>>>>
>>>>>
>>>>> A new version of I-D, draft-korhonen-dime-mip6-feature- 
>>>>> bits-01.txt has
>>>>> been successfuly submitted by Jouni Korhonen and posted to the  
>>>>> IETF
>>>>> repository.
>>>>>
>>>>> Filename:        draft-korhonen-dime-mip6-feature-bits
>>>>> Revision:        01
>>>>> Title:           Diameter MIP6 Feature Vector Additional Bit  
>>>>> Allocations
>>>>> Creation_date:   2009-06-10
>>>>> WG ID:           Independent Submission
>>>>> Number_of_pages: 5
>>>>>
>>>>> Abstract:
>>>>> During the Mobile IPv6 Split Scenario bootstrapping the Mobile  
>>>>> IPv6
>>>>> Home Agent and the Authentication, Authorization, and Accounting
>>>>> server may exchange a set of authorized mobility capabilities.   
>>>>> This
>>>>> document defines new mobility capability flags that are used to
>>>>> authorize per Mobile Node route optimization, Multiple Care-of
>>>>> Address and user plane traffic encryption support.  Furthermore,  
>>>>> this
>>>>> document also defines a capability flag of indicating whether the
>>>>> Home Agent is authorized to act as a stand alone Virtual Private
>>>>> Network gateway.
>>>>>
>>>>>
>>>>>
>>>>> The IETF Secretariat.
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> DiME mailing list
>>>> DiME@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/dime
>>>>
>>
>>

v2.23.0 | Report a Bug | By Email