IETF Logo Mail Archive

Re: [MEXT] FW: New Version Notification for draft-bajko-mext-sod-02.txt

Sri Gundavelli <sgundave@cisco.com> Tue, 19 July 2011 03:14 UTC

Return-Path: <sgundave@cisco.com>
X-Original-To: mext@ietfa.amsl.com
Delivered-To: mext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABA9F21F875E for <mext@ietfa.amsl.com>; Mon, 18 Jul 2011 20:14:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.148
X-Spam-Level:
X-Spam-Status: No, score=-3.148 tagged_above=-999 required=5 tests=[AWL=-1.945, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1rb8cB6iDixB for <mext@ietfa.amsl.com>; Mon, 18 Jul 2011 20:14:28 -0700 (PDT)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) by ietfa.amsl.com (Postfix) with ESMTP id D5A2621F85C6 for <mext@ietf.org>; Mon, 18 Jul 2011 20:14:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=sgundave@cisco.com; l=6800; q=dns/txt; s=iport; t=1311045268; x=1312254868; h=date:subject:from:to:cc:message-id:in-reply-to: mime-version:content-transfer-encoding; bh=RoPRrJwEgY5gQHS6zI0W59vI2zvoRK5Sr2Y0A0s3qnQ=; b=eh9xi8deSS5FF+nJh3klVxHecmVMx9JHfW1cz0o57WudFq1ebx03C4qD UUCHvqEsoqu9qnR/lC+VWQaiAtWza/m7T3q4WbJ9uFH9oiie7g4CaI5Ft zjmJ+uLqc+xZWxmHSZX1vLkgAtLAYsAP6CwvtYctRrDwmE4zX0USAra4E Y=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av0EACb2JE6rRDoH/2dsb2JhbABTplxud4h8pWueR4Y8BIclL4sShQqEV4cV
X-IronPort-AV: E=Sophos;i="4.67,226,1309737600"; d="scan'208";a="4178636"
Received: from mtv-core-2.cisco.com ([171.68.58.7]) by rcdn-iport-1.cisco.com with ESMTP; 19 Jul 2011 03:14:27 +0000
Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com [128.107.191.100]) by mtv-core-2.cisco.com (8.14.3/8.14.3) with ESMTP id p6J3EQLf024910; Tue, 19 Jul 2011 03:14:26 GMT
Received: from xmb-sjc-214.amer.cisco.com ([171.70.151.145]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.4675); Mon, 18 Jul 2011 20:14:26 -0700
Received: from 10.32.246.213 ([10.32.246.213]) by xmb-sjc-214.amer.cisco.com ([171.70.151.145]) with Microsoft Exchange Server HTTP-DAV ; Tue, 19 Jul 2011 03:14:25 +0000
User-Agent: Microsoft-Entourage/12.30.0.110427
Date: Mon, 18 Jul 2011 20:14:20 -0700
From: Sri Gundavelli <sgundave@cisco.com>
To: Julien Laganier <julien.ietf@gmail.com>
Message-ID: <CA4A449C.214AB%sgundave@cisco.com>
Thread-Topic: [MEXT] FW: New Version Notification for draft-bajko-mext-sod-02.txt
Thread-Index: AcxFwfNPwQ99wkYhdkij8g1C/EE2Ig==
In-Reply-To: <CAE_dhjvHqT5bT=HhzUSBTY429oaozRMeGTqrbXR1vjN6vrafYQ@mail.gmail.com>
Mime-version: 1.0
Content-type: text/plain; charset="ISO-8859-1"
Content-transfer-encoding: quoted-printable
X-OriginalArrivalTime: 19 Jul 2011 03:14:26.0360 (UTC) FILETIME=[F71A4380:01CC45C1]
Cc: mext@ietf.org, Basavaraj.Patil@nokia.com
Subject: Re: [MEXT] FW: New Version Notification for draft-bajko-mext-sod-02.txt
X-BeenThere: mext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Mobile IPv6 EXTensions WG <mext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mext>, <mailto:mext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mext>
List-Post: <mailto:mext@ietf.org>
List-Help: <mailto:mext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jul 2011 03:14:31 -0000

Hi Julien,

Thanks for your response. Two points:

- The exchange of security policy in this draft, the semantics appear to be
a boolean in nature. I'm ignoring the  new civic location info option to be
carried in the request, as I cannot realistically tie any security policy
around that data element containing a street address. Unless, I
misunderstood.

- If I look at our IPsec implementation (should be close to any other
standard implementation), the security policy configured on the Ipsec peers,
allows the requestor to ask security services, say  X and Y. Now, the peer
can ask for X, Y, or X+Y. Translating this to MIPv6 usage, the mobile node
can ask for SA's for the control plane security and additionally the SA's
for data plane security. Now, if this is about moving the decision point of
data plane security to MIP control plane from the Ipsec layer, each time
there is an IKEv2 request, the request needs to be passed to the MIP control
plane, which seems to be one more level of indirection. Its not clear to me,
how it needs to be implemented. May be extending PF_Key interface to allow
Ipsec module to get authorization from MIPv6 is another approach.

The draft needs to have a paragraph on the motivation covering these
aspects, the limitations in the current decoupled SA negotiation model.

Also, providing some granularity around traffic selection for protection
will be more useful, as supposed to securing all data traffic, as I say in
point #4 below.

I'm not opposing or supporting this draft, just trying to understand.


Sri








On 7/18/11 11:47 AM, "Julien Laganier" <julien.ietf@gmail.com> wrote:

> Hi Sri,
> 
> Thanks for reviewing the draft. Re: point #2 below, IKEv2 is a mean
> for HA and MN to negotiate IPsec Security Association. My
> understanding of this draft is that it provides a mean for HA and MN
> to negotiate the IPsec Security Policy that govern exchange of data
> traffic between these two. As such the two are not exclusive or
> redundant, but complimentary.
> 
> What do you think?
> 
> --julien
> 
> On Sun, Jul 17, 2011 at 12:43 PM, Sri Gundavelli <sgundave@cisco.com> wrote:
>> Raj:
>> 
>> I've reviwed this draft. Clarifying questions.
>> 
>> 
>> 
>> 1. New Mobility option
>> 
>>> data contains a location in XML format as defined in RFC5139
>> 
>> I'm bit surprised on the need to carry Civic Location info. I thought it is
>> intended for human interpretation. Ex: Building 24, 2nd Floor, in front of
>> Starbucks, when this location info in this format is carried in MIP binding
>> option, how can the home agent make use of it realistically ? I'm not sure,
>> beyond the "S" flag the draft proposes, if this new mobility option is
>> needed ? The draft is also not clear on the aspect of negotiation. It
>> appears to be more a request in the form of "S" flag in the draft.
>> 
>> 
>> 2. Use of IKEv2/RFC 4877
>> 
>> If the MN is in a location where it decides to enable security protection
>> for the data traffic, it can certainly establish an IPsec SA for the tunnel
>> mode ESP. Wondering, if this needs to be achieved over a MIP control plane
>> and the advantages with that approach ? Even if this needs to be determined
>> after the MIP session set up, still there needs to be IKEv2 protocol
>> exchange for creating the SA ? Nothing stops either the HA or the MN to
>> create an SA for the tunnel mode ESP.
>> 
>> 
>> 3. General question
>> 
>> The HA is providing IP mobility service for the mobile node's home address.
>> From the mobile node, or a correspondent node perspective, the home agent is
>> just a pass through device. Securing the MN-HA link can certainly protects
>> all the traffic for some part of the path segment, but it is not sufficient.
>> If the argument is that, this is also a consideration for mobility service,
>> as Julien/Raj or some one commented when it was presented, but I could not
>> agree either way in my head, if this is really a service that the home agent
>> needs to offer, or if it should be between the traffic flow end points.
>> 
>> 4. Granularity/Traffic Selectors for Protection
>> 
>> The mobile node may decide not to secure all traffic, as there is some
>> pandora/youtube or other garbage traffic, which does not require protection.
>> The approach here seems to be enable or disable data plane security. Why not
>> try this with the DSMIP traffic flow selectors, as part of access selection
>> for a flow, adding a bit to turn or off security might be an option ? You
>> get the granularity for traffic protection as well.
>> 
>> 
>> Regards
>> Sri
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> On 7/13/11 2:40 PM, "Basavaraj.Patil@nokia.com" <Basavaraj.Patil@nokia.com>
>> wrote:
>> 
>>> 
>>> We have posted a new version of the I-D. This does not incorporate the
>>> review comments from Julien L., Kent Leung, Stefano Faccin and Jouni
>>> Korhonen. We hope to do that in Rev 3 of the I-D in the next few weeks.
>>> 
>>> -Raj
>>> 
>>> On 7/11/11 6:10 PM, "ext internet-drafts@ietf.org"
>>> <internet-drafts@ietf.org> wrote:
>>> 
>>>> A new version of I-D, draft-bajko-mext-sod-02.txt has been successfully
>>>> submitted by Basavaraj Patil and posted to the IETF repository.
>>>> 
>>>> Filename:     draft-bajko-mext-sod
>>>> Revision:     02
>>>> Title:         Security on Demand for Mobile IPv6 and Dual-stack Mobile
>>>> IPv6
>>>> Creation date:     2011-07-12
>>>> WG ID:         Individual Submission
>>>> Number of pages: 9
>>>> 
>>>> Abstract:
>>>>   Mobile IPv6 and Dual-stack Mobile IPv6 protocols require the
>>>>   signaling messages between the mobile node and home agent to be
>>>>   secured.  However security for the user plane/traffic is optional and
>>>>   is a choice left to the mobile node.  This document proposes
>>>>   extensions to Mobile IPv6 signaling which enables the user plane
>>>>   traffic to be secured on a need or on-demand basis.  The mobile node
>>>>   or the home agent can request at any time security for the user plane
>>>>   traffic.  Security for user plane traffic can be triggered as a
>>>>   result of policy or, mobility or, at the user&#39;s choice.
>>>> 
>>>> 
>>> 
>>> _______________________________________________
>>> MEXT mailing list
>>> MEXT@ietf.org
>>> https://www.ietf.org/mailman/listinfo/mext
>> 
>> _______________________________________________
>> MEXT mailing list
>> MEXT@ietf.org
>> https://www.ietf.org/mailman/listinfo/mext
>>

v2.8.7 | Report a Bug | By Email