IETF Logo Mail Archive

Re: [Dime] Fwd: New Version Notification for draft-korhonen-dime-mip6-feature-bits-01

Behcet Sarikaya <behcetsarikaya@yahoo.com> Wed, 17 June 2009 19:39 UTC

Return-Path: <behcetsarikaya@yahoo.com>
X-Original-To: dime@core3.amsl.com
Delivered-To: dime@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3949F28C2E5 for <dime@core3.amsl.com>; Wed, 17 Jun 2009 12:39:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.85
X-Spam-Level:
X-Spam-Status: No, score=-1.85 tagged_above=-999 required=5 tests=[AWL=-0.647, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id idvVbLI2wJSK for <dime@core3.amsl.com>; Wed, 17 Jun 2009 12:39:05 -0700 (PDT)
Received: from n64.bullet.mail.sp1.yahoo.com (n64.bullet.mail.sp1.yahoo.com [98.136.44.189]) by core3.amsl.com (Postfix) with SMTP id 74D123A6A2B for <dime@ietf.org>; Wed, 17 Jun 2009 12:38:50 -0700 (PDT)
Received: from [69.147.84.144] by n64.bullet.mail.sp1.yahoo.com with NNFMP; 17 Jun 2009 19:39:00 -0000
Received: from [67.195.9.82] by t6.bullet.mail.sp1.yahoo.com with NNFMP; 17 Jun 2009 19:39:00 -0000
Received: from [67.195.9.99] by t2.bullet.mail.gq1.yahoo.com with NNFMP; 17 Jun 2009 19:39:00 -0000
Received: from [127.0.0.1] by omp103.mail.gq1.yahoo.com with NNFMP; 17 Jun 2009 19:36:12 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 795609.9455.bm@omp103.mail.gq1.yahoo.com
Received: (qmail 70681 invoked by uid 60001); 17 Jun 2009 19:39:00 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1245267540; bh=xcsac6OfOc2sito/n4yNggBdLXzq7E9rrDZHjsT5HtA=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=daYGJBznm8rFMUACEJjbjiSs1VbtzvmSzp+gNcdQsvbWF1ZHd6L39DZ5bugj9CagS0tn8nzRz4GY7phTWYsJyunUw3mw62uObpWooGZMiIXUnpII+Ry4g8YnuN8592Ur5SjbCsWYSx45HRsTnPFf38lkSBx3z8DquBJM9IbXdg0=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=vdY5vGQhvRc1cnvNhPIRuYXTW26WJaYD1owr6OiNoL/i6CowtsC7CUmJyD2T1O83kqTrzPKM06iT6uOnpH/OuyXYXUcnyU/PgvjUqSODuA/XrgYYjJ30ce+qsY51pvFhpiYwsHIWAm6e/BUPA6Ce/6Re0eVKRhugaz+gFDMJ8X8=;
Message-ID: <505836.70599.qm@web111413.mail.gq1.yahoo.com>
X-YMail-OSG: JJymww4VM1nRbbfcvY9.MNf7uNPKjzQfwfrX84Ce5FC7QT9GfRcLV6cIMgGCnNuUrDu4RTbJvZpFVIbQPiv.jq6dVHV4hxg_vziMfQb_rHdJuoUQVVJiCp5S..U8ZA1joaEQAXVBdDCTcp4pqE8ayvoUsYgMNLO7u4ZuPfxIs8XRo2LwiP9ZOZfLqnTRiQk7ZTU3BVK0etU6mT68XEb0wYDVwdvi7x1iCsHrFVp1131J2uBAoH.WedlTnLM0EHCuyAKFsLU0_EKb8MLNDGW8ipHeZqvdknlNv5XSrub4jvousYWGho4VbfHB1CFI4jAdkbZsXKSch3ELdB039TyCbpI-
Received: from [206.16.17.212] by web111413.mail.gq1.yahoo.com via HTTP; Wed, 17 Jun 2009 12:39:00 PDT
X-Mailer: YahooMailRC/1277.43 YahooMailWebService/0.7.289.15
References: <20090610092653.601A33A6E07@core3.amsl.com> <1CE00542-32BF-4344-884C-CCDC763FA853@gmail.com> <f1f4dcdc0906101449m6e72475s82ac408f9af15505@mail.gmail.com> <2FA145BF-2534-4A2A-A878-C50A6B3C0087@gmail.com> <f1f4dcdc0906151732l54a30412ubcbd6c4b883e74b5@mail.gmail.com> <5CC059D9-6113-49A3-9748-9F4562A248CC@gmail.com>
Date: Wed, 17 Jun 2009 12:39:00 -0700
From: Behcet Sarikaya <behcetsarikaya@yahoo.com>
To: jouni korhonen <jouni.nospam@gmail.com>, Vijay Devarapalli <dvijay@gmail.com>
In-Reply-To: <5CC059D9-6113-49A3-9748-9F4562A248CC@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: dime@ietf.org
Subject: Re: [Dime] Fwd: New Version Notification for draft-korhonen-dime-mip6-feature-bits-01
X-BeenThere: dime@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Behcet Sarikaya <sarikaya@ieee.org>
List-Id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dime>
List-Post: <mailto:dime@ietf.org>
List-Help: <mailto:dime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jun 2009 19:39:06 -0000

Hi Jouni,
  I have no comment on your points below except this one:
Well.. feature in a sense that you have both functionalities in the same box anyway. Stretching my memory on the requirements, this came from the cases where an I-WLAN PDG and a HA were to be bundled together.

I don't think ePDG and HA can be bundled together in 3GPP architecture. HA is at the PDN Gateway an entity above PDG.

Regards,

Behcet



----- Original Message ----
From: jouni korhonen <jouni.nospam@gmail.com>
To: Vijay Devarapalli <dvijay@gmail.com>
Cc: dime@ietf.org
Sent: Tuesday, June 16, 2009 5:27:44 AM
Subject: Re: [Dime] Fwd: New Version Notification for draft-korhonen-dime-mip6-feature-bits-01

Hi Vijay,

On Jun 16, 2009, at 3:32 AM, Vijay Devarapalli wrote:

> Hi Jouni,
> 
> On Wed, Jun 10, 2009 at 11:03 PM, jouni korhonen<jouni.nospam@gmail.com> wrote:
>> Hi Vijay,
>> 
>> 
>> On Jun 11, 2009, at 12:49 AM, Vijay Devarapalli wrote:
>> 
>>> Hi Jouni,
>>> 
>>> I have a comment on the "VPN Gateway feature". There is no document
>>> that describes what it means for a Mobile IPv6 home agent to act as a
>>> VPN gateway. The IKEv2 exchange between the MN and the HA [RFC 4877
>>> and 5026] already supports mutual authentication, address assignment
>>> and setting up of tunnel mode ESP SAs. Are you referring to this as
>>> VPN mode? But isn't this regular Home agent functionality?
>> 
>> The "VPN mode" is when you use HA IKEv2/IPsec functionality purely for
>> conventional VPN remote access purposes without any mobility.
> 
> Again, what does this mean? When you run IKEv2 as described in RFC
> 4877 and 5026, you are creating tunnel mode security associations for
> a *Mobile IPv6 tunnel*. In the "VPN" mode, does the mobile node switch
> of the Mobile IPv6 stack?

VPN mode is plain RFC4306 + 4303 etc. You end up implementing that machinery there in any case, so why not allow using a HA as a VPN gateway as well. In this case, there is no mobility involved.

> 
> Or does the Home Agent behave an IPsec VPN gateway for pure IPsec
> clients, i.e., there is no Mobile IPv6 stack on these clients.

Yes.


> 
> 
>> That type of
>> deployment is shortly referenced in draft-ietf-dime-mip6-split Section 4.1.
>> I recall this functionality was originally requested by Gerardo..
> 
> It doesn't make sense to me. :) This looks more like co-locating a
> Mbile IPv6 home agent and an IPsec VPN gateway and supporting both
> Mobile IPv6 mobile nodes and plain IPsec clients at the same time.

Yes, it is about co-location. To me it makes sense as much as IKEv2+IPsec with MIP6 ;)


> 
> 
> There has to be more to this scenario than just the short paragraph in
> draft-ietf-dime-mip6-split.

Yes, agree.


> 
> 
>>> Or is there a separate IPsec VPN that is first setup and then Mobile
>>> IPv6 is run on top of the IPsec tunnels?
>> 
>> As shortly described in split document:
>> 
>>  In some deployment scenarios, the HA may also act as an IKEv2
>>  Responder for a conventional IPsec VPN access.  The challenge in this
>>  case is that the IKEv2 responder may not know if IKEv2 is used for
>>  Mobile IPv6 service or for IPsec VPN access service.  A network
>>  operator needs to be aware of this limitation.  One solution already
>>  supported by IKEv2 is to use different responder identities when
>>  operating as a conventional IPsec VPN gateway or as a HA.  The MN can
>>  then indicate the preferred responder type using the appropriate IDr
>>  payload in the IKE_AUTH message.
>> 
>> But yeah, now that feature bits are taken into a separate document, the
>> connection between the above and the new feature bit is rather weak. Either
>> we need more text and/or reference in the draft-korhonen-dime-feature-bits
>> or just remove the bit all together. Since the difference between
>> conventional IKEv2 IPsec VPN gateway part and HA's IKEv2 IPsec functionality
>> is rather small, I would keep the feature bit and enhance the text instead.
> 
> It is not "rather small" in my opinion. I don't understand how
> supporting plain IPsec clients can be a feature on a Mobile IPv6 home
> agent. :)

Well.. feature in a sense that you have both functionalities in the same box anyway. Stretching my memory on the requirements, this came from the cases where an I-WLAN PDG and a HA were to be bundled together.

Jouni


> 
> 
> Vijay
> 
>> 
>> Jouni
>> 
>> 
>>> 
>>> 
>>> Vijay
>>> 
>>> On Wed, Jun 10, 2009 at 2:55 AM, jouni korhonen<jouni.nospam@gmail.com>
>>> wrote:
>>>> 
>>>> Hi all,
>>>> 
>>>> I have updated the additional feature bits draft. I did remove some stuff
>>>> so
>>>> that the draft now only reserves MIP6-Feature-Vector flag bits and
>>>> nothing
>>>> more. I'll forward the draft soon to RFC editor so if anyone has
>>>> comments,
>>>> please be quick :)
>>>> 
>>>> Cheers,
>>>>      Jouni
>>>> 
>>>> Begin forwarded message:
>>>> 
>>>>> From: IETF I-D Submission Tool <idsubmission@ietf.org>
>>>>> Date: June 10, 2009 12:26:53 PM GMT+03:00
>>>>> To: jouni.nospam@gmail.com
>>>>> Subject: New Version Notification for
>>>>>  draft-korhonen-dime-mip6-feature-bits-01
>>>>> 
>>>>> 
>>>>> A new version of I-D, draft-korhonen-dime-mip6-feature-bits-01.txt has
>>>>> been successfuly submitted by Jouni Korhonen and posted to the IETF
>>>>> repository.
>>>>> 
>>>>> Filename:        draft-korhonen-dime-mip6-feature-bits
>>>>> Revision:        01
>>>>> Title:          Diameter MIP6 Feature Vector Additional Bit Allocations
>>>>> Creation_date:  2009-06-10
>>>>> WG ID:          Independent Submission
>>>>> Number_of_pages: 5
>>>>> 
>>>>> Abstract:
>>>>> During the Mobile IPv6 Split Scenario bootstrapping the Mobile IPv6
>>>>> Home Agent and the Authentication, Authorization, and Accounting
>>>>> server may exchange a set of authorized mobility capabilities.  This
>>>>> document defines new mobility capability flags that are used to
>>>>> authorize per Mobile Node route optimization, Multiple Care-of
>>>>> Address and user plane traffic encryption support.  Furthermore, this
>>>>> document also defines a capability flag of indicating whether the
>>>>> Home Agent is authorized to act as a stand alone Virtual Private
>>>>> Network gateway.
>>>>> 
>>>>> 
>>>>> 
>>>>> The IETF Secretariat.
>>>>> 
>>>>> 
>>>> 
>>>> _______________________________________________
>>>> DiME mailing list
>>>> DiME@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/dime
>>>> 
>> 
>> 

_______________________________________________
DiME mailing list
DiME@ietf.org
https://www.ietf.org/mailman/listinfo/dime

v2.23.0 | Report a Bug | By Email