Re: [MEXT] RFC 3775bis: mandate on the use of IPsec
"Alper Yegin" <alper.yegin@yegin.org> Fri, 21 November 2008 16:59 UTC
Return-Path: <mext-bounces@ietf.org>
X-Original-To: mext-archive@optimus.ietf.org
Delivered-To: ietfarch-mext-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9F48328C0EB; Fri, 21 Nov 2008 08:59:20 -0800 (PST)
X-Original-To: mext@core3.amsl.com
Delivered-To: mext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E7BE53A6A64 for <mext@core3.amsl.com>; Fri, 21 Nov 2008 08:59:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.15
X-Spam-Level:
X-Spam-Status: No, score=-1.15 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, MSGID_MULTIPLE_AT=1.449]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s3MsdsIa+qGs for <mext@core3.amsl.com>; Fri, 21 Nov 2008 08:59:18 -0800 (PST)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.194]) by core3.amsl.com (Postfix) with ESMTP id 0D4F73A6A5E for <mext@ietf.org>; Fri, 21 Nov 2008 08:59:18 -0800 (PST)
Received: from LENOVO ([130.129.94.244]) by mrelay.perfora.net (node=mrus0) with ESMTP (Nemesis) id 0MKp8S-1L3ZLY3LCx-0006bt; Fri, 21 Nov 2008 11:59:12 -0500
From: Alper Yegin <alper.yegin@yegin.org>
To: 'Arnaud Ebalard' <arno@natisbad.org>
References: <016901c94bf2$cc3abc60$64b03520$@yegin@yegin.org> <877i6xm3b8.fsf@natisbad.org>
In-Reply-To: <877i6xm3b8.fsf@natisbad.org>
Date: Fri, 21 Nov 2008 18:59:08 +0200
Message-ID: <017e01c94bfa$7a9fa5c0$6fdef140$@yegin>
MIME-Version: 1.0
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AclL+Xw798VNpuyjR/6uYDcLp5LF9AAAMqeg
Content-Language: en-us
X-Provags-ID: V01U2FsdGVkX1+xaYezTvY/paeVNr+y8bpDv35m5TPyWiYsWYA wG/KXp4WT4ELBhC6gYQ127kfOR1HsahOthPJ3MUySf8ZKvwRPu s4C+Ke0vjbijDO3z0CGZQ==
Cc: charliep@computer.org, mext@ietf.org
Subject: Re: [MEXT] RFC 3775bis: mandate on the use of IPsec
X-BeenThere: mext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Mobile IPv6 EXTensions WG <mext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/mext>
List-Post: <mailto:mext@ietf.org>
List-Help: <mailto:mext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: mext-bounces@ietf.org
Errors-To: mext-bounces@ietf.org
If IPsec was so good to MIP and RFC 4285-type solution was so insufficient, we would have seen IPsec support defined for MIPv4.... Alper > -----Original Message----- > From: Arnaud Ebalard [mailto:arno@natisbad.org] > Sent: Friday, November 21, 2008 6:50 PM > To: Alper Yegin > Cc: charliep@computer.org; mext@ietf.org > Subject: Re: [MEXT] RFC 3775bis: mandate on the use of IPsec > > > "Alper Yegin" <alper.yegin@yegin.org> writes: > > > Another issue with RFC 3775 is with the following text: > > > > The mobile node and the home agent MUST use an IPsec security > > association to protect the integrity and authenticity of the > Binding > > Updates and Acknowledgements. > > > > Given the presence of RFC 4285 (and its adoption) it does not make > sense to > > mandate "use of IPsec." It's not like we expect RFC 4285 users to run > it on > > top of IPsec because RFC 3775 mandates use of IPsec J > > > > Note that we already took care of this with RFC 5213 which says: > > > > The mobile access gateway and the local mobility anchor MUST > > implement IPsec for protecting the Proxy Mobile IPv6 signaling > > messages [RFC4301]. IPsec is a mandatory-to-implement security > > mechanism. However, additional documents may specify alternative > > mechanisms and the mobility entities can enable a specific > mechanism > > for securing Proxy Mobile IPv6 signaling messages, based on either > a > > static configuration or after a dynamic negotiation using any > > standard security negotiation protocols. > > IPsec has been chosen as the solution to protect MIPv6 signaling and > data (3775, 3776, 4877, ...). One good argument (IMHO) was that IPv6 > node are all expected to implement IPsec. Maybe we can argue on this > IPv6 requirement for constrained devices but mext is not the place to > do > that. > > AFAICT, afterwhile, some specific captive environments with security at > the link level and specific habits felt the need to have a lighter, > possibly less powerful (in term of evolution and security wise) > solution. [whyauth] explains that perfectly, IMHO. 4285 is a *specific* > solution dedicated to a specific set of environments. > > MIPv6 security mechanisms (based IPsec/IKE) probably have their own > drawbacks (requiring availability and integration between those > components) but it covers most cases and generic networks. For > instance, > w/ a RFC4285-only based MIPv6 (no IPsec), which L3 security mechanism > would be available to protect the communications between MN and HA? > > BTW, arguing against IPsec as the MIPv6 security protocol in the > context > of 3775bis does not make sense. > > Cheers, > > a+ > > [whyauth] : http://tools.ietf.org/html/draft-ietf-mip6- > whyauthdataoption-07.html _______________________________________________ MEXT mailing list MEXT@ietf.org https://www.ietf.org/mailman/listinfo/mext
- [MEXT] RFC 3775bis: mandate on the use of IPsec Alper Yegin
- Re: [MEXT] RFC 3775bis: mandate on the use of IPs… Arnaud Ebalard
- Re: [MEXT] RFC 3775bis: mandate on the use of IPs… Alper Yegin
- Re: [MEXT] RFC 3775bis: mandate on the use of IPs… Arnaud Ebalard
- Re: [MEXT] RFC 3775bis: mandate on the use of IPs… Hesham Soliman
- Re: [MEXT] RFC 3775bis: mandate on the use of IPs… Alper Yegin