IETF Logo Mail Archive

Re: [MEXT] review of draft-bajko-mext-sod-01

<Basavaraj.Patil@nokia.com> Wed, 09 February 2011 21:55 UTC

Return-Path: <Basavaraj.Patil@nokia.com>
X-Original-To: mext@core3.amsl.com
Delivered-To: mext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E12B03A687D for <mext@core3.amsl.com>; Wed, 9 Feb 2011 13:55:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.849
X-Spam-Level:
X-Spam-Status: No, score=-102.849 tagged_above=-999 required=5 tests=[AWL=-0.250, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RvwzviRLZkhx for <mext@core3.amsl.com>; Wed, 9 Feb 2011 13:55:33 -0800 (PST)
Received: from mgw-da02.nokia.com (smtp.nokia.com [147.243.128.26]) by core3.amsl.com (Postfix) with ESMTP id C328B3A6823 for <mext@ietf.org>; Wed, 9 Feb 2011 13:55:33 -0800 (PST)
Received: from vaebh105.NOE.Nokia.com (vaebh105.europe.nokia.com [10.160.244.31]) by mgw-da02.nokia.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id p19LtdYC013545; Wed, 9 Feb 2011 23:55:41 +0200
Received: from smtp.mgd.nokia.com ([65.54.30.6]) by vaebh105.NOE.Nokia.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Wed, 9 Feb 2011 23:55:35 +0200
Received: from 008-AM1MMR1-004.mgdnok.nokia.com (65.54.30.59) by NOK-am1MHUB-02.mgdnok.nokia.com (65.54.30.6) with Microsoft SMTP Server (TLS) id 8.2.255.0; Wed, 9 Feb 2011 22:55:35 +0100
Received: from 008-AM1MPN1-005.mgdnok.nokia.com ([169.254.4.149]) by 008-AM1MMR1-004.mgdnok.nokia.com ([65.54.30.59]) with mapi; Wed, 9 Feb 2011 22:55:34 +0100
From: <Basavaraj.Patil@nokia.com>
To: <julien.ietf@gmail.com>, <jouni.nospam@gmail.com>
Thread-Topic: [MEXT] review of draft-bajko-mext-sod-01
Thread-Index: AQHLyJ8dSCK9a2QbvUK4pM+P3yniPJP5pYuA//+cAgA=
Date: Wed, 9 Feb 2011 21:55:32 +0000
Message-ID: <C978694D.EADC%basavaraj.patil@nokia.com>
In-Reply-To: <AANLkTikQsb0xwnrG5qxCJ4RV45_tD6tuy0ndHdnPcnro@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.2.0.101115
Content-Type: text/plain; charset="us-ascii"
Content-ID: <1743c08a-19a2-44a2-8488-66a89724de05>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginalArrivalTime: 09 Feb 2011 21:55:35.0677 (UTC) FILETIME=[14A572D0:01CBC8A4]
X-Nokia-AV: Clean
Cc: draft-bajko-mext-sod@tools.ietf.org, mext@ietf.org
Subject: Re: [MEXT] review of draft-bajko-mext-sod-01
X-BeenThere: mext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Mobile IPv6 EXTensions WG <mext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mext>
List-Post: <mailto:mext@ietf.org>
List-Help: <mailto:mext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Feb 2011 21:55:35 -0000

Thanks for the reviews and comments.
We are cognizant of Julien's comments regarding the flag (from the past
two meetings :) ) and will make the necessary changes in the next rev.

-Raj

On 2/9/11 3:53 PM, "ext Julien Laganier" <julien.ietf@gmail.com> wrote:

>Jouni -
>
>Thanks for the review!
>
>Please see some comments below:
>
>On Wed, Feb 9, 2011 at 1:19 PM, jouni korhonen <jouni.nospam@gmail.com>
>wrote:
>> Hi,
>>
>> In Beijing meeting I volunteered to review draft-bajko-mext-sod-01.
>>
>> I'll skip the editorials and such. The text would need some editing for
>>sure ;)
>>
>>
>> * Section 1
>>
>>   As per the current MIP6 [RFC3775] specification, only the MN has the
>>   ability to enable security for user-plane traffic. The HA has no
>>   ability to force the MN to secure user traffic.
>>
>> Strictly based on rfc3775 yes. However, if IKE is used as the key
>>management protocol, then it is possible to have some level of security
>>level negotiation between the MN and the HA. That approach would not be
>>as dynamic as proposed in the I-D but still..
>
>My understanding of IKE is that although it can be used to update the
>SPD,  changing the fundamentals of a bypass or protect rules that
>applies to user plane traffic wouldn't  fall in the scope of IKE --
>see quote from RFC 5996:
>
>   When an RFC4301-compliant IPsec subsystem receives an IP packet that
>   matches a "protect" selector in its Security Policy Database (SPD),
>   the subsystem protects that packet with IPsec.  When no SA exists
>   yet, it is the task of IKE to create it.  Maintenance of a system's
>   SPD is outside the scope of IKE, although some implementations might
>   update their SPD in connection with the running of IKE (for an
>   example scenario, see Section 1.1.3).
>
>   Traffic Selector (TS) payloads allow endpoints to communicate some of
>   the information from their SPD to their peers.  These must be
>   communicated to IKE from the SPD (for example, the PF_KEY API [PFKEY]
>   uses the SADB_ACQUIRE message).  TS payloads specify the selection
>   criteria for packets that will be forwarded over the newly set up SA.
>   This can serve as a consistency check in some scenarios to assure
>   that the SPDs are consistent.  In others, it guides the dynamic
>   update of the SPD.
>
>Would you disagree?
>
>> * Section 2
>>
>> This section would definitely benefit from having more references to
>>the different technologies/elements listed. Also expanding some of the
>>acronyms would not make harm.
>>
>> * Section 3
>>
>>   response acknowledging the request and setting the flag for user
>>   plane traffic security to Null indicating to the MN that the traffic
>>   on the link between the MN and HA will not be encrypted.
>>
>> Setting to "Null"..? Do you rather mean the HA modifies the SPD for
>>HA->MN direction accordingly and makes the MN destined user traffic to
>>bypass IPsec? And a similar action needs to be done on the MN for the
>>MN->HA direction.
>
>I think so.
>
>> * Section 4.1
>>
>>   S    When set, this flag indicates HA acknowledges, or strongly
>>   recommends, use of user plane encryption. When clear, HA does not
>>   support or allow use of user plane encryption.
>>
>> This also means that the MN has no way of knowing whether the S was
>>unset because a) HA policy said so, or b) HA did not understand the
>>whole thing. In case of b) the MN might want to detach from this
>>particular HA and try to find a HA that supports the feature proposed in
>>this I-D. I see this as an issue that needs to be solved somehow.
>
>I agree with Jouni. And actually I've commented many times ;-) that
>the flag should go away and a new mobility option should be included
>that carries to flag, an 'I' for integrity protection, and a 'C' for
>confidentiality protection since these are different capabilities.
>Also having it in a mobility option would avoid the issue outline
>since a HA that doesn' t understand the option would not send it back
>and the MN wouldn't have to guess what happened.
>
>> * Section 4.2
>>
>> I understand the introduction of this option but would still consider
>>it not being an essential part of the on-demand security enhancement
>>proposed by this I-D.
>
>Agree.
>
>> * Section 5
>>
>>   This document does not require actions by IANA.
>>
>> I kind of disagree ;)
>
>I think we need action by IANA to register new mobility option.
>
>> As a summary. The proposed solution seems useful. Some work on the I-D
>>is though needed.
>
>Agree.
>
>--julien

v2.8.7 | Report a Bug | By Email