Re: [IPsec] Some comments to the draft-gundavelli-ipsecme-3gpp-ims-options-00.txt

"Sri Gundavelli (sgundave)" <> Sun, 21 April 2013 20:48 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BB64121F93D7 for <>; Sun, 21 Apr 2013 13:48:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 00PCYlv1ntGS for <>; Sun, 21 Apr 2013 13:48:07 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 524B421F93D6 for <>; Sun, 21 Apr 2013 13:48:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=6007; q=dns/txt; s=iport; t=1366577287; x=1367786887; h=from:to:cc:subject:date:message-id:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=jvcnFsPpZqvL4LkRdvhUj2J/7mBFZQhmQC0vb0DyVQA=; b=mKe3JaImkFQngjgfSq1kHqQwrK4MgUIwBR/rtgMluA/xTSE6znhzfNci 9o8Aad/PHF2u+K+SYdKVCghc/AJ5hhX6e+FiXpsWGkfvmtUy1PV18enhf iFFgpuJMNn261L2xHNqypgABj4bchpwUqNR+snd7GZZPvxT0D/DGP6oc8 0=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="4.87,520,1363132800"; d="scan'208";a="201267899"
Received: from ([]) by with ESMTP; 21 Apr 2013 20:48:07 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id r3LKm6c6004797 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Sun, 21 Apr 2013 20:48:06 GMT
Received: from ([]) by ([]) with mapi id 14.02.0318.004; Sun, 21 Apr 2013 15:48:06 -0500
From: "Sri Gundavelli (sgundave)" <>
To: Tero Kivinen <>, "Aeneas Dodd-Noble (noblea)" <>, "" <>, "" <>
Thread-Topic: Some comments to the draft-gundavelli-ipsecme-3gpp-ims-options-00.txt
Thread-Index: AQHOPBbfkK3N7LSI7ECyznXpomQb85jhCVaA
Date: Sun, 21 Apr 2013 20:48:06 +0000
Message-ID: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "" <>
Subject: Re: [IPsec] Some comments to the draft-gundavelli-ipsecme-3gpp-ims-options-00.txt
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 21 Apr 2013 20:48:08 -0000

Hi Tero,

Thanks a lot for the review comments. This is very helpful.

Please see inline.

On 4/18/13 2:26 AM, "Tero Kivinen" <> wrote:

>In section 3 and 4, there is text saying:
>   Length (2 octets)
>      Length of the value field in octets.  In this case, its 4.
>   Length (2 octets)
>      Length of the value field in octets.  In this case, its 16.
>But the length of the configuration attribute value can also be 0 for
>the requests. At least in general case, I do not know whether this
>P-CSCF_IP{4,6}_ADDRESS option is supposed to be normal configurable
>option or something else. In normal case the client either sends empty
>request, and server fills the value in, or the client sends request
>telling the preferred value, and server either replies with that or
>something else.

The goal is to allow the client to request for the configuration value, so
the server can populate it. So, the client sends a request with a
NULL/ value, and the server can include the Attribute with a proper
value in the response message.

>The draft also says:
>   Multiple instances of this Attribute with different values can be
>   present in the configuration payload and there is no implied
>   preferrential order.
>In RFC5996 we have text which says that for INTERNAL_IP{4,6}_ADDRESS
>the multi-valued return values only work in a way, that client sends
>as many entries in the request as it is willing to get back in the
>reply, and server can only return as many (or fewer) items there was
>in the request. This is to allow client to decide whether it wants to
>support multi-valued addresses. Do you want to do similar thing here,
>or is it assumed that all implementations do allow multiple values for
>this attribute? The text from RFC5996 says as follows:

The client should be able to include a single a instance of the Attribute
with a value of, but the server should be able to offer one or
more instances of the Attribute.

In this case, there is no real requirement for the client to indicate
capability for multiple instances. We can safely assume the client can
handle one or more values.

We did have some discussion on if there is an implied order when multiple
instances of the Attribute or present. In the context of 3GPP interface
where it will be used, the server obtains these Attribute values from the
PGW over S2b interface and there is no such order on that interface. So,
we will not indicate any order, its up to the client on how it decides to
use those values.

>      internal network, sometimes called a red node address or private
>      address, and it MAY be a private address on the Internet.  In a
>      request message, the address specified is a requested address (or
>      a zero-length address if no specific address is requested).  If a
>      specific address is requested, it likely indicates that a previous
>      connection existed with this address and the requestor would like
>      to reuse that address.  With IPv6, a requestor MAY supply the low-
>      order address octets it wants to use.  Multiple internal addresses
>      MAY be requested by requesting multiple internal address
>      attributes.  The responder MAY only send up to the number of
>      addresses requested.
>This also points out how the request can either be empty or have some
>previously used value in. Do you want to do similar thing here?

The request should be empty. I don't believe ePDG is sending specific
hints over S2b interface and so we are bound by that interface definition.
I will check the spec to be sure.

>Also in section 5 Example Scenario, it would be nice to have values
>filled in to the P-CSCF_IP{4,6}_ADDRESS attributes, just like you have
>values filled to other attributes (INTERNAL_IP4_ADDRESS and
>INTERNAL_IP4_DNS). I.e. the request is most likely empty and reply
>contains something.

Sure. Will address these comments.

These are very good comment. Very helpful. Appreciate it.


>         Client      Gateway
>        --------    ---------
>         HDR(IKE_SA_INIT), SAi1, KEi, Ni  -->
>                  <--  HDR(IKE_SA_INIT), SAr1, KEr, Nr, [CERTREQ]
>         HDR(IKE_AUTH),
>         SK { IDi, CERT, [CERTREQ], AUTH, [IDr],
>              CP(CFG_REQUEST) =
>                 { INTERNAL_IP4_ADDRESS(),
>                   INTERNAL_IP4_DNS(),
>                   P-CSCF_IP4_ADDRESS,
>                   P-CSCF_IP6_ADDRESS }, SAi2,
>              TSi = (0, 0-65535,,
>              TSr = (0, 0-65535, }  -->
>                <--  HDR(IKE_AUTH),
>                     SK { IDr, CERT, AUTH,
>                          CP(CFG_REPLY) =
>                             { INTERNAL_IP4_ADDRESS(,
>                                              P-CSCF_IP4_ADDRESS,
>                                              P-CSCF_IP6_ADDRESS,
>                               INTERNAL_IP4_DNS( },
>                          SAr2,
>                          TSi = (0, 0-65535,,
>                          TSr = (0, 0-65535, }
>                    Figure 4: P-CSCF Attribute Exchange