IETF Logo Mail Archive

Re: [MEXT] FW: New Version Notification for draft-bajko-mext-sod-02.txt

Julien Laganier <julien.ietf@gmail.com> Mon, 25 July 2011 18:30 UTC

Return-Path: <julien.ietf@gmail.com>
X-Original-To: mext@ietfa.amsl.com
Delivered-To: mext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA92D21F8BB6 for <mext@ietfa.amsl.com>; Mon, 25 Jul 2011 11:30:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.507
X-Spam-Level:
X-Spam-Status: No, score=-3.507 tagged_above=-999 required=5 tests=[AWL=0.092, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7iDjR5h0t1Dr for <mext@ietfa.amsl.com>; Mon, 25 Jul 2011 11:30:52 -0700 (PDT)
Received: from mail-ey0-f176.google.com (mail-ey0-f176.google.com [209.85.215.176]) by ietfa.amsl.com (Postfix) with ESMTP id 2949A21F8B17 for <mext@ietf.org>; Mon, 25 Jul 2011 11:30:48 -0700 (PDT)
Received: by eya28 with SMTP id 28so4351173eya.21 for <mext@ietf.org>; Mon, 25 Jul 2011 11:30:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=TJLziLCLS80uV1d/L1sSMsGG2xxx1MNr7e3MDsGmuws=; b=a7dnLFXWej4gZyAV7eapKQyiaZ4IGRjNSLd6POMHUlmUJ7ZKgxYPHw4Msj1iycCjLM j6VrlypXjCpjcmZudIQo5QbF9ocKcVUlkiXdFR0P/VOIvBoVG5qRwRldPXYSV05etHCf 4Bg4utyvzAUiXAEw+XLD1SGHlGOFCh4qniYNE=
MIME-Version: 1.0
Received: by 10.213.3.201 with SMTP id 9mr300049ebo.11.1311618647954; Mon, 25 Jul 2011 11:30:47 -0700 (PDT)
Received: by 10.213.28.7 with HTTP; Mon, 25 Jul 2011 11:30:47 -0700 (PDT)
In-Reply-To: <CA4BB5B7.21E13%sgundave@cisco.com>
References: <CAE_dhjtSY8Ufm0ZGxVm9Vt10dE28mCr_jmDGijhx=jESwdnOQw@mail.gmail.com> <CA4BB5B7.21E13%sgundave@cisco.com>
Date: Mon, 25 Jul 2011 11:30:47 -0700
Message-ID: <CAE_dhju61EaaHLtvNHL4Oa025NN1D3iXbT9d+-SWT+ofmQha8w@mail.gmail.com>
From: Julien Laganier <julien.ietf@gmail.com>
To: Sri Gundavelli <sgundave@cisco.com>
Content-Type: text/plain; charset=ISO-8859-1
Cc: mext@ietf.org, Basavaraj.Patil@nokia.com
Subject: Re: [MEXT] FW: New Version Notification for draft-bajko-mext-sod-02.txt
X-BeenThere: mext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Mobile IPv6 EXTensions WG <mext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mext>, <mailto:mext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mext>
List-Post: <mailto:mext@ietf.org>
List-Help: <mailto:mext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jul 2011 18:30:53 -0000

Hi Sri,

On Tue, Jul 19, 2011 at 10:29 PM, Sri Gundavelli <sgundave@cisco.com> wrote:
> Hi Julien,
>
> On 7/19/11 8:09 AM, "Julien Laganier" <julien.ietf@gmail.com> wrote:
>
>> Hi Sri,
>>
>> With the risk of repeating myself: the role of IKE is to negotiate
>> security associations between hosts. The security associations permits
>> the enforcement of the security policy. This draft is concerned with a
>> mechanism allowing the MN and the HA to agree on the security policy
>> that governs exchange of data traffic between them.
>>
>
> Sure, I understand that part about moving the decision logic to MIP control
> plane, and control the IPsec layer ...

I might be a bit pedantic here, but to make sure we' re on the same
page. We are not _moving_ any logic to MIP control plane. The SPD
logic remains where it is, in the IPsec layer. What this document is
about is a way for MIPv6 nodes to agree whether or not the SPD
specifies protection of data traffic as specified in RFC 3776.

>> I am also not sure why there would be a need for more granularity. I
>> understood that the motivation between the draft is to be able to turn
>> on and off the IP layer (IPsec) protection of data traffic based on
>> the protection offered by an access network to which the MN attaches,
>> typically at layer 2 (e.g., 802.11). I don' t know why what traffic
>> gets or does not get protected would need to be negotiated dynamically
>> based on the context in which the MN is, e.g., a hotel hotspot vs. a
>> corporate Wi-Fi. To me that seems (semi-)static...
>
> Enabling security on the data sessions comes at high-resource requirement on
> the gateway. If the access network where the mobile node is attached to does
> not provide any security service, the MN can decide to turn on the security,
> but allowing that on select streams will be useful. Do I care, if my youtube
> stream goes unsecure, but I may care for my SIP flow. It can be a on/off
> switch too .., any case its not orthogonal to the base principle of, MN and
> HA agree on the security policy for the data traffic between them, as we
> talk above ...

I understand the use case you describe. In this case the user data
traffic protection consists of applying ESP to only part of the
traffic by setting X to the appropriate values (e.g. SIP) in the
examples documented in RFC 3776. From then on the mechanism described
in this draft can be used to turn ON and OFF that protection of data.
In other words, the details of user data protection needs not to be
agreed dynamically. What needs to be agreed on is whether or not the
user data protection is needed in the first place. It might not on
some radio accesses (e.g. cellular)

--julien

v2.8.7 | Report a Bug | By Email