IETF Logo Mail Archive

Re: [MEXT] review of draft-bajko-mext-sod-01

Julien Laganier <julien.ietf@gmail.com> Wed, 09 February 2011 22:36 UTC

Return-Path: <julien.ietf@gmail.com>
X-Original-To: mext@core3.amsl.com
Delivered-To: mext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B07C63A6819 for <mext@core3.amsl.com>; Wed, 9 Feb 2011 14:36:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.477
X-Spam-Level:
X-Spam-Status: No, score=-3.477 tagged_above=-999 required=5 tests=[AWL=0.122, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EVots-8dX6Up for <mext@core3.amsl.com>; Wed, 9 Feb 2011 14:36:08 -0800 (PST)
Received: from mail-bw0-f44.google.com (mail-bw0-f44.google.com [209.85.214.44]) by core3.amsl.com (Postfix) with ESMTP id 63C023A672F for <mext@ietf.org>; Wed, 9 Feb 2011 14:36:08 -0800 (PST)
Received: by bwz12 with SMTP id 12so1601955bwz.31 for <mext@ietf.org>; Wed, 09 Feb 2011 14:36:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=VyestoIqjeS0OjTGNekexWLc/ZndJPOsMUOQ61iFEvs=; b=L7KUGsY7Fz28/7NHM9yt8g6F5LfL0s6H/Dds4pPdBVhW8/GJp1ZbkfVgF+Q19aZkP3 OJd4LQd17i3rgo0+tUeuF+uJU168W6O4NPj25EZOikURCEST9OoM9blPWAN+PQRmibV5 w2A+g6c7/gukO196TrbWx/y4P/NFvdTljHWO0=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=ndckOJC2rZAHTphyQJv7DSVeCSplPXZFvHPtCocoDnk/qSsSPDRKaiy9Rr+1ItPixw rRdp3yHDyoL6wg3/ahpUgN70NRDucD8hUG30XTIDu+UvwdZh2D2PMiSL8UaC67iMFvxX Wru3+CRZI2txXMelJz+f9kCXAXmGzdiHfR6ew=
MIME-Version: 1.0
Received: by 10.103.243.16 with SMTP id v16mr14785422mur.57.1297290977861; Wed, 09 Feb 2011 14:36:17 -0800 (PST)
Received: by 10.103.221.9 with HTTP; Wed, 9 Feb 2011 14:36:17 -0800 (PST)
In-Reply-To: <40F7FF8A-2462-4FFC-A77A-D528DC1FD7D0@gmail.com>
References: <5ECC386B-CD36-45AE-943D-01F39264242D@gmail.com> <AANLkTikQsb0xwnrG5qxCJ4RV45_tD6tuy0ndHdnPcnro@mail.gmail.com> <40F7FF8A-2462-4FFC-A77A-D528DC1FD7D0@gmail.com>
Date: Wed, 9 Feb 2011 14:36:17 -0800
Message-ID: <AANLkTinq8ThwA8-tW0viifxbMOLkia7aQkAuHK_RnJd7@mail.gmail.com>
From: Julien Laganier <julien.ietf@gmail.com>
To: jouni korhonen <jouni.nospam@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: draft-bajko-mext-sod@tools.ietf.org, mext@ietf.org
Subject: Re: [MEXT] review of draft-bajko-mext-sod-01
X-BeenThere: mext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Mobile IPv6 EXTensions WG <mext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mext>
List-Post: <mailto:mext@ietf.org>
List-Help: <mailto:mext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Feb 2011 22:36:09 -0000

Jouni,

On Wed, Feb 9, 2011 at 2:22 PM, jouni korhonen <jouni.nospam@gmail.com> wrote:
> Julien,
>
> On Feb 9, 2011, at 11:53 PM, Julien Laganier wrote:
>
>> Jouni -
>>
>> Thanks for the review!
>>
>> Please see some comments below:
>>>
>>> * Section 1
>>>
>>>   As per the current MIP6 [RFC3775] specification, only the MN has the
>>>   ability to enable security for user-plane traffic. The HA has no
>>>   ability to force the MN to secure user traffic.
>>>
>>> Strictly based on rfc3775 yes. However, if IKE is used as the key management protocol, then it is possible to have some level of security level negotiation between the MN and the HA. That approach would not be as dynamic as proposed in the I-D but still..
>>
>> My understanding of IKE is that although it can be used to update the
>> SPD,  changing the fundamentals of a bypass or protect rules that
>> applies to user plane traffic wouldn't  fall in the scope of IKE --
>> see quote from RFC 5996:
>
> I should have written my thoughts clearer. What I meant here is that a MN and a HA may have a bunch of proposals to agree on. The MN and the HA can agree on a transform that provides no encryption. And this is essentially for the HA to enforce. I know it is somewhat far fetched but doable to some extent.

Hmm. If for a single MN-HA pair there might be situations in which
confidentiality protection is to be afforded and other in which it is
not, the SPD will have to be modified. Quoting RFC 4301:

           o Processing info -- which action is required -- PROTECT,
             BYPASS, or DISCARD.  There is just one action that goes
             with all the selector sets, not a separate action for each
             set.  If the required processing is PROTECT, the entry
             contains the following information.
[...]
                - algorithms -- which ones to use for AH, which ones to
                  use for ESP, which ones to use for combined mode,
                  ordered by decreasing priority

Would it be correct to interpret your statement as having on the HA a
PROTECT rule with algorithms as follows and in that order:

    AES_CBC + HMAC-SHA1-96 followed by HMAC-SHA1-96

would allow the the MN to negotiate Confidentiality protection and
Integrity Protection vs. Integrity protection only by changing its
local SPD only to contain either AES_CBC + HMAC-SHA1-96
(Confidentiality protection and Integrity Protection) or HMAC-SHA1-96
(Intergrity protection only) and thus no MIPv6 signaling extension is
needed in this case because IKE would do the job?

I'd agree.

However, the SPD would have to be modified in case the userplane is to
be passed cleartext, and that means the HA SPD has to say BYPASS, and
IKE doen't allow to negotiate this.

Comments?

--julien

v2.8.7 | Report a Bug | By Email