IETF Logo Mail Archive

Re: [Dime] Relationship between draft-sarikaya-dimeradext-prefix-auth-ps-00.txt and draft-sarikaya-dime-prefix-delegation-ps-01.txt

Frank Xia <xiayangsong@huawei.com> Wed, 23 July 2008 16:54 UTC

Return-Path: <dime-bounces@ietf.org>
X-Original-To: dime-archive@megatron.ietf.org
Delivered-To: ietfarch-dime-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 346033A6AF6; Wed, 23 Jul 2008 09:54:25 -0700 (PDT)
X-Original-To: dime@core3.amsl.com
Delivered-To: dime@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B19B73A6AF0 for <dime@core3.amsl.com>; Wed, 23 Jul 2008 09:54:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.337
X-Spam-Level:
X-Spam-Status: No, score=-2.337 tagged_above=-999 required=5 tests=[AWL=0.262, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SMTt2hltonBY for <dime@core3.amsl.com>; Wed, 23 Jul 2008 09:54:22 -0700 (PDT)
Received: from usaga04-in.huawei.com (usaga04-in.huawei.com [206.16.17.180]) by core3.amsl.com (Postfix) with ESMTP id 7DB743A6AEE for <dime@ietf.org>; Wed, 23 Jul 2008 09:54:22 -0700 (PDT)
Received: from huawei.com (usaga04-in [172.18.9.16]) by usaga04-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0K4G00L7ZXNSB9@usaga04-in.huawei.com> for dime@ietf.org; Wed, 23 Jul 2008 11:55:05 -0500 (CDT)
Received: from X24512z ([10.124.12.92]) by usaga04-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTPA id <0K4G002ULXNRQ8@usaga04-in.huawei.com> for dime@ietf.org; Wed, 23 Jul 2008 11:55:04 -0500 (CDT)
Date: Wed, 23 Jul 2008 11:55:03 -0500
From: Frank Xia <xiayangsong@huawei.com>
To: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>, dime@ietf.org
Message-id: <01f401c8ece4$da93b130$5c0c7c0a@china.huawei.com>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-Priority: 3
X-MSMail-priority: Normal
References: <488726EC.6030207@gmx.net>
Subject: Re: [Dime] Relationship between draft-sarikaya-dimeradext-prefix-auth-ps-00.txt and draft-sarikaya-dime-prefix-delegation-ps-01.txt
X-BeenThere: dime@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/dime>
List-Post: <mailto:dime@ietf.org>
List-Help: <mailto:dime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: dime-bounces@ietf.org
Errors-To: dime-bounces@ietf.org

Hi Hannes

I try to jump ahead of Behcet to  answer
some of your questions :-)

Please check inline comments.

BR
Frank


----- Original Message ----- 
From: "Hannes Tschofenig" <Hannes.Tschofenig@gmx.net>
To: <dime@ietf.org>
Sent: Wednesday, July 23, 2008 7:41 AM
Subject: [Dime] Relationship between 
draft-sarikaya-dimeradext-prefix-auth-ps-00.txt and 
draft-sarikaya-dime-prefix-delegation-ps-01.txt


>I have sent my rechartering questions around regarding these two documents. 
>I took a brief look at them and I wonder what the relationship between the 
>two documents is. Why are there 2 documents on almost the same subject?
>
Frank=>They have almost the same main idea.
You can only refer to the draft
http://www.ietf.org/internet-drafts/draft-sarikaya-dimeradext-prefix-auth-ps-00.txt.

> When I browse through 
> http://www.ietf.org/internet-drafts/draft-sarikaya-dimeradext-prefix-auth-ps-00.txt 
> then I sometimes get the impression that you would like to later 
> standardize a Diameter application. I wasn't sure why additional AVPs 
> aren't sufficient, in case existing AVPs cannot be re-used?
Frank=>Prefix delegation is an authorization which may be
decoupled from an authentication. RFC4005/4072 only deal
with coupled authentication& authorization scenario.

>
> Let me also comment on a few selected items:
>
>
> AAA-based prefix authorization (PA) application MUST run between a NAS, 
> located on AR, LMA, MR, etc. and an AAA server.
>
> [hannes] This requirement does not say a lot. The AAA protocol is always 
> run between a client and a server.
>
>
>
> AAA-based PA application MUST support the AAA client to request prefixes 
> from an AAA server. AAA-based PA application MUST support the client to 
> give back the prefixes to the AAA server.
>
> [hannes] With the last sentence you mean that you need to have a way to 
> indicate that the AAA session is terminated?
Frank=>In IPv6 renumbering scenario, it is necessary

>
> If Secure Neighbor Discovery (SEND) [RFC3971] is used by the devices on 
> the network, the certificate or the information needed to obtain a 
> certificate SHOULD also be sent by the AAA server to NAS.
>
> [hannes] What information do you exactly want to carry towards the AAA 
> client?
Frank=>IPv6 address prefix for NAS is authorized to route

>
> In point-to-point link operation, the NAS MUST identify the interface of 
> MN in its request. The NAS MAY provide a prefix hint, e.g. of length /48 
> to which the AAA server MUST reply with one or more prefixes, e.g. of 
> length /64.
>
> [hannes] how would such an interface identifier look like?
Frank=>Tentatively, it can be the interface identifier part of host's link 
local
address, NAI (RFC4282), or MAC address.

>
> In point-to-point operation, the AAA server MAY assign the prefix(es) and 
> related parameters such as the lifetime and the certificates to MN from 
> MN's profile.
>
> [hannes] I am not sure what this means. You mean that the AAA server 
> should keep state to make sure that it does not forget what it has 
> provided to the MN?
Frank=>Probably, the AAA server for prefix delegation is different from
the AAA server for authentication.  So it is necessary to record the state.

> For some reason the problem is not well described. In Section 3 of 
> draft-sarikaya-dimeradext-prefix-auth-ps-00.txt you refer to RFC 4818 but 
> I do not quite understand what you would like to see happening instead.
>
> AAA-based prefix authorization application SHOULD support prefix release 
> procedures.
>
> [hannes] isn't this the same as mentioned in the previous requirement 
> "AAA-based PA application MUST support the client to give back the 
> prefixes to the AAA server. "
Frank=>It is the same.

>
> The NAS is responsible for renewing the prefixes when the lifetime 
> expires. The NAS SHOULD be able to extend the lifetime of the prefixes 
> using messages designed for this purpose.
>
> [hannes] Why wouldn't we tie the lifetime of the prefix to the lifetime of 
> the AAA session itself? Makes things much easier. The same applies a bit 
> to this requirement: "It SHOULD be possible to renumber the prefixes 
> authorized by AAA server. The AAA server SHOULD initiate prefix 
> renumbering process. "
Frank=>IPv6 renumbering is a feature of IPv6.
If we tie the lifetime of prefix to the lifetime of AAA session,
it is certain that we can't suport IPv6 renumbering.
Even though IPv6 renumbering probably happen probably
infrequently, it is better for us to have such a mechnism to support.

For IPv6 renumbering, here are some references
RFC 1916/2071/2072/2874/2894/4076/4192.

>
> RFC2119 seems to be a bit randomly used in the document.
Frank=>We will polish the draft,
and also welcome more poeple to join us.

>
> Ciao
> Hannes
>
> _______________________________________________
> DiME mailing list
> DiME@ietf.org
> https://www.ietf.org/mailman/listinfo/dime
> 


_______________________________________________
DiME mailing list
DiME@ietf.org
https://www.ietf.org/mailman/listinfo/dime

v2.23.0 | Report a Bug | By Email