IETF Logo Mail Archive

Re: [MEXT] Call for WG adoption of I-D: draft-korhonen-mext-mip6-altsec

arno@natisbad.org (Arnaud Ebalard) Mon, 24 January 2011 21:55 UTC

Return-Path: <arno@natisbad.org>
X-Original-To: mext@core3.amsl.com
Delivered-To: mext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 343323A698E for <mext@core3.amsl.com>; Mon, 24 Jan 2011 13:55:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AaAi5xFlY0w0 for <mext@core3.amsl.com>; Mon, 24 Jan 2011 13:55:19 -0800 (PST)
Received: from copper.chdir.org (copper.chdir.org [88.191.97.87]) by core3.amsl.com (Postfix) with ESMTP id 170B33A698D for <mext@ietf.org>; Mon, 24 Jan 2011 13:55:19 -0800 (PST)
Received: from small (unknown [IPv6:2a01:e35:2efc:86d0:216:eaff:feec:ae14]) by copper.chdir.org (Postfix) with ESMTPSA id A0C4E450053; Mon, 24 Jan 2011 22:58:10 +0100 (CET)
X-Hashcash: 1:20:110124:marcelo@it.uc3m.es::MuAAQR+5TAO/ciid:00000000000000000000000000000000000000000001Ryu
X-Hashcash: 1:20:110124:julien.laganier.ietf@googlemail.com::u0qaMQtrfVeKH9mO:0000000000000000000000000031Zo
From: arno@natisbad.org
To: "Jan Zorz @ go6.si" <jan@go6.si>
References: <4D3DD426.6080107@it.uc3m.es> <4D3DE564.30505@go6.si>
X-PGP-Key-URL: http://natisbad.org/arno@natisbad.org.asc
X-Fingerprint: D3A5 B68A 839B 38A5 815A 781B B77C 0748 A7AE 341B
X-Hashcash: 1:20:110124:mext@ietf.org::sAyjZku9h0vNJFbH:0000336l
X-Hashcash: 1:20:110124:jan@go6.si::Avs3FrEml9efDXeK:000000051Bw
Date: Mon, 24 Jan 2011 22:58:09 +0100
Message-ID: <878vyarmku.fsf@natisbad.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: Julien Laganier <julien.laganier.ietf@googlemail.com>, mext@ietf.org
Subject: Re: [MEXT] Call for WG adoption of I-D: draft-korhonen-mext-mip6-altsec
X-BeenThere: mext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Mobile IPv6 EXTensions WG <mext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mext>
List-Post: <mailto:mext@ietf.org>
List-Help: <mailto:mext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Jan 2011 21:55:21 -0000

Hi,

"Jan Zorz @ go6.si" <jan@go6.si> writes:

> On 1/24/11 8:33 PM, marcelo bagnulo braun wrote:
>> The ID has had 3 reviews as we require.
>> So, we are now ready to ask the WG if they think we should adopt the
>> document.
>>
>> Please express your opinion before monday 31st jan.
>
> Well, I think this I-D should go forward as it solves some issues with
> current thinking of mobile part of the stack, and it has an
> implementation, that works fine.

At some point, I wanted to test the implementation initially provided on 
http://dsmipv6-tls.nokia.net but when I went to the site later it was
no more available (current status). BTW, I was told the source code
would be available for review but never got a pointer. Which
implementation are you using? 

Regarding the draft, I am *against* adopting the document for the reasons
already given on the list a while ago (see [1]):

> Honestly, I *must* be missing something. To make a parallel, to me, you
> are trying to change a screwdriver into a hammer. And I still don't
> understand why.
>
> If you simply need a solution to encapsulate IPv4 or IPv6 packets over
> UDP with an ESP header, why don't you simply use an IKE daemon with
> support for MOBIKE? Or if you really want to use TLS for key
> provisioning, some DTLS-based VPN?
>
> Here, you combine UDP-encapsulated IPsec packet format for NAT-T (copy
> and paste of ESP rfc, iirc), replace usual IKE for key establishment by a
> *custom* protocol based on TLS and HTTP to provide key provisioning. There
> is even a section (5.6.5) to provide a mapping between TLS ciphersuites
> and the algs used to protect IPsec-piggybacked packets.

To me, what the draft describes is a patchwork based on MIPv6, ESP and
TLS. Instead of building on top of those protocols (read modularity and
interoperability), it reuses (hijacks) various blocks of associated
standards in a non-modular way. For instance, one has to reimplement ESP
in userspace to support the protocol.

Additionally, it does not support RO.

Cheers,

a+

[1]: http://permalink.gmane.org/gmane.ietf.mip6/10368

v2.23.0 | Report a Bug | By Email