IETF Logo Mail Archive

Re: [MEXT] situation with the -whyauthdataoption document

"Narayanan, Vidya" <vidyan@qualcomm.com> Mon, 08 September 2008 23:35 UTC

Return-Path: <mext-bounces@ietf.org>
X-Original-To: mext-archive@optimus.ietf.org
Delivered-To: ietfarch-mext-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CFAAC3A683A; Mon, 8 Sep 2008 16:35:13 -0700 (PDT)
X-Original-To: mext@core3.amsl.com
Delivered-To: mext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 56E7E3A683A for <mext@core3.amsl.com>; Mon, 8 Sep 2008 16:35:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.367
X-Spam-Level:
X-Spam-Status: No, score=-102.367 tagged_above=-999 required=5 tests=[AWL=0.232, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pUvwYGCo8N8G for <mext@core3.amsl.com>; Mon, 8 Sep 2008 16:35:11 -0700 (PDT)
Received: from wolverine02.qualcomm.com (wolverine02.qualcomm.com [199.106.114.251]) by core3.amsl.com (Postfix) with ESMTP id 01E723A67F8 for <mext@ietf.org>; Mon, 8 Sep 2008 16:35:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=qualcomm.com; i=vidyan@qualcomm.com; q=dns/txt; s=qcdkim; t=1220916915; x=1252452915; h=x-mimeole:content-class:mime-version:content-type: content-transfer-encoding:subject:date:message-id: in-reply-to:x-ms-has-attach:x-ms-tnef-correlator: thread-topic:thread-index:references:from:to:cc: x-originalarrivaltime:x-ironport-av; z=X-MimeOLE:=20Produced=20By=20Microsoft=20Exchange=20V6.5 |Content-class:=20urn:content-classes:message |MIME-Version:=201.0|Content-Type:=20text/plain=3B=0D=0A =09charset=3D"us-ascii"|Content-Transfer-Encoding:=20quot ed-printable|Subject:=20RE:=20[MEXT]=20situation=20with =20the=20-whyauthdataoption=20document|Date:=20Mon,=208 =20Sep=202008=2016:34:42=20-0700|Message-ID:=20<C24CB51D5 AA800449982D9BCB903251301E18584@NAEX13.na.qualcomm.com> |In-Reply-To:=20<87tzcq6c1q.fsf@natisbad.org> |X-MS-Has-Attach:=20|X-MS-TNEF-Correlator:=20 |Thread-Topic:=20[MEXT]=20situation=20with=20the=20-whyau thdataoption=20document|Thread-Index:=20AckRsSiHMZFv+uDxR ZGxOGhp2TNlVwARvAYw|References:=20<48C5008D.7050805@piuha .net>=20<87tzcq6c1q.fsf@natisbad.org>|From:=20"Narayanan, =20Vidya"=20<vidyan@qualcomm.com>|To:=20"Arnaud=20Ebalard "=20<arno@natisbad.org>,=20"Jari=20Arkko"=20<jari.arkko@p iuha.net>|Cc:=20<draft-ietf-mip6-whyauthdataoption@tools. ietf.org>,=0D=0A=20=20=20=20=20=20=20=20"Pasi=20Eronen" =20<Pasi.Eronen@nokia.com>,=20<mext@ietf.org> |X-OriginalArrivalTime:=2008=20Sep=202008=2023:35:03.0464 =20(UTC)=20FILETIME=3D[848E7A80:01C9120B]|X-IronPort-AV: =20E=3DMcAfee=3Bi=3D"5200,2160,5379"=3B=20a=3D"7255820"; bh=W5tB9H5XPBfCsJn9xjpCYuegi6TgwdgjbspLr83rE2A=; b=S6yXhFjn2nziVnOUdsFmlVZZWgBze9KhoZwil9tCA2f99kwciWHBp7Gw zKPFvPpxBSFgiIUTzWvAm12YKfrmvVDDRauhDD61+VgZ1NC8l07ebdq5U LDoY1ca4Vy3WWGlsumofSVqNGPuoJb36v7apVnvqaEZF7xhsiqjIxJPe8 Q=;
X-IronPort-AV: E=McAfee;i="5200,2160,5379"; a="7255820"
Received: from pdmz-ns-mip.qualcomm.com (HELO ithilien.qualcomm.com) ([199.106.114.10]) by wolverine02.qualcomm.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 08 Sep 2008 16:35:14 -0700
Received: from msgtransport06.qualcomm.com (msgtransport06.qualcomm.com [129.46.61.149]) by ithilien.qualcomm.com (8.14.2/8.14.2/1.0) with ESMTP id m88NZEfg027994 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Mon, 8 Sep 2008 16:35:14 -0700
Received: from SANEXCAS03.na.qualcomm.com (sanexcas03.qualcomm.com [172.30.32.65]) by msgtransport06.qualcomm.com (8.14.2/8.14.2/1.0) with ESMTP id m88NZ3nB012839; Mon, 8 Sep 2008 16:35:09 -0700
Received: from NAEX13.na.qualcomm.com ([129.46.51.249]) by SANEXCAS03.na.qualcomm.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 8 Sep 2008 16:35:03 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Mon, 08 Sep 2008 16:34:42 -0700
Message-ID: <C24CB51D5AA800449982D9BCB903251301E18584@NAEX13.na.qualcomm.com>
In-Reply-To: <87tzcq6c1q.fsf@natisbad.org>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [MEXT] situation with the -whyauthdataoption document
Thread-Index: AckRsSiHMZFv+uDxRZGxOGhp2TNlVwARvAYw
References: <48C5008D.7050805@piuha.net> <87tzcq6c1q.fsf@natisbad.org>
From: "Narayanan, Vidya" <vidyan@qualcomm.com>
To: Arnaud Ebalard <arno@natisbad.org>, Jari Arkko <jari.arkko@piuha.net>
X-OriginalArrivalTime: 08 Sep 2008 23:35:03.0464 (UTC) FILETIME=[848E7A80:01C9120B]
Cc: draft-ietf-mip6-whyauthdataoption@tools.ietf.org, Pasi Eronen <Pasi.Eronen@nokia.com>, mext@ietf.org
Subject: Re: [MEXT] situation with the -whyauthdataoption document
X-BeenThere: mext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Mobile IPv6 EXTensions WG <mext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/mext>
List-Post: <mailto:mext@ietf.org>
List-Help: <mailto:mext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: mext-bounces@ietf.org
Errors-To: mext-bounces@ietf.org

I concur with many points Arnaud raises below.  I do agree that the
draft needs to be updated with the correct current status of things with
IKEv2/IPsec.  But, I don't think it makes sense to justify the use of
RFC4285 on the basis of implementation complexities associated with
using IPsec with MIP6, especially given that the complexity has to do
with NATs rather than MIP6. 

- Vidya

> -----Original Message-----
> From: mext-bounces@ietf.org [mailto:mext-bounces@ietf.org] On 
> Behalf Of Arnaud Ebalard
> Sent: Monday, September 08, 2008 5:46 AM
> To: Jari Arkko
> Cc: draft-ietf-mip6-whyauthdataoption@tools.ietf.org; Pasi 
> Eronen; mext@ietf.org
> Subject: Re: [MEXT] situation with the -whyauthdataoption document
> 
> Hi,
> 
> Jari Arkko <jari.arkko@piuha.net> writes:
> 
> > WG, Basavaraj, Gopal,
> >
> > I wanted to let everyone know where we are with this 
> document. It was 
> > in the IESG review a week ago. There are a few details to 
> change here 
> > and there, but the main issue is in Pasi Eronen's Discuss. It is 
> > copied below. I do agree with Pasi, and I'd like the 
> authors to revise 
> > the document accordingly. After this revision, it will be a much 
> > better document -- particularly because also adds important 
> arguments.
> >
> >> First of all, I should say that after working on the DSMIPv6 
> >> document, I'm rather sympathetic to arguments that perhaps using 
> >> IPsec for Mobile IPv6 wasn't such a great idea in hindsight
> 
> I am probably a bit biased on the topic but I am sure the 
> following arguments are valid.
> 
> IPsec works fine in IPv6 environments. It also works fine in 
> MIPv6 environments, even with dynamic keying when using the 
> appropriate interface between MIPv6 and IPsec/IKE.
> 
> NAT and IPv4 have always been problematic for IPsec/IKE. 
> MIPv6 has always been an IPv6 mechanism: we should not blame 
> the choice of IPsec now that IPv4 and NAT are on the table 
> with the design of DSMIPv6.
> 
> >> , and the authentication option can be valuable in some 
> deployments. 
> 
> in *some* deployments, maybe.
> 
> But in IPv6 environments, i.e. initial the target of MIPv6, 
> IPsec is available and the required extensions (interface 
> between IPsec/IKE and
> MIPv6) can be very limited in size.
> 
> >> [snip]
> >>
> >> Somewhat surprisingly for a document defending RFC 4285, 
> the document 
> >> also doesn't mention what's IMHO the *main* advantage of RFC 4285 
> >> over IPsec: implementation complexity.
> 
> All IPv6 stacks must support IPsec. For a MIPv6 
> implementation based on those stacks, adding the required 
> bits to support interactions with IPsec is not that complex 
> (less than 600 lines in Linux Kernel for current MIGRATE 
> implementation for both XFRM and PF_KEY, for instance).
> 
> Then, adding the missing bits for IKE requires some care but 
> it is not so difficult. If you want the values for userland 
> counterparts (MIPv6 daemon and IKE daemon), I can check.
> 
> Out of curisoity, can someone provide some feedback on RFC 
> 4285 implementation?
> 
> >>  Especially with new MIPv6 features like DSMIPv6 the interface 
> >> between IPsec stack and MIPv6 stack is getting complex
> 
> If normalized at some point, it will probably be ;-)
> 
> >> and the IPsec stack needs more MIPv6-specific 
> functionality (so you 
> >> can't necessarily use just any off-the-shelf IPsec stack
> 
> If "off-the-shelf IPsec stack" means only RFC430*-compliant 
> ones, that's true. Now, you can expect some common IPsec 
> stack to provide the required MIPv6-specific functionality if 
> those are normalized (i.e. IETF reference documents produced by a WG).
> 
> But we cannot blame the IPsec stacks not to implement 
> features that the IETF is not willing to work on / push.
> 
> Cheers,
> 
> a+
> _______________________________________________
> MEXT mailing list
> MEXT@ietf.org
> https://www.ietf.org/mailman/listinfo/mext
> 
_______________________________________________
MEXT mailing list
MEXT@ietf.org
https://www.ietf.org/mailman/listinfo/mext

v2.23.0 | Report a Bug | By Email