IETF Logo Mail Archive

Re: [MEXT] [!! SPAM] Re: Well-known problem with authentication/etc. in wireless networks

Julien Laganier <julien.ietf@gmail.com> Wed, 31 August 2011 19:10 UTC

Return-Path: <julien.ietf@gmail.com>
X-Original-To: mext@ietfa.amsl.com
Delivered-To: mext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A615D21F8E3A for <mext@ietfa.amsl.com>; Wed, 31 Aug 2011 12:10:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.503
X-Spam-Level:
X-Spam-Status: No, score=-3.503 tagged_above=-999 required=5 tests=[AWL=0.096, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UPgzSRpK1Djg for <mext@ietfa.amsl.com>; Wed, 31 Aug 2011 12:10:18 -0700 (PDT)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by ietfa.amsl.com (Postfix) with ESMTP id E363421F8CFD for <mext@ietf.org>; Wed, 31 Aug 2011 12:10:14 -0700 (PDT)
Received: by wyg8 with SMTP id 8so889206wyg.31 for <mext@ietf.org>; Wed, 31 Aug 2011 12:11:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=KYlvr2dh3oa3CzgH9blH4qo9d5oQ5WQ63pbM8ApJc30=; b=DT9+CP+2xzuUEfwHRr6T6tViyM23hZBv/4LN7wTLMDTZ7//aS3MieUgY1HynyCjGpc nsvVEEtXCXWtLEtsWXUegvE8V5GHWfjc0DU6iQW76YCFdGrQeVncPmhG7pST6T8+aIb7 phJ7tfuBnlZnq8FIPgOr0QCBHLrAvfILYzyJo=
MIME-Version: 1.0
Received: by 10.227.168.139 with SMTP id u11mr712099wby.14.1314817904026; Wed, 31 Aug 2011 12:11:44 -0700 (PDT)
Received: by 10.227.27.141 with HTTP; Wed, 31 Aug 2011 12:11:43 -0700 (PDT)
In-Reply-To: <4E5BDF45.9040702@computer.org>
References: <CA7EF880.197F2%hesham@elevatemobile.com> <4E5BDF45.9040702@computer.org>
Date: Wed, 31 Aug 2011 12:11:43 -0700
Message-ID: <CAE_dhjuEUOfmOfHQvfw0LXY29DSgif--NUxK63uE+VFj0YT8Kg@mail.gmail.com>
From: Julien Laganier <julien.ietf@gmail.com>
To: charliep@computer.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: Pete McCann <mccap@petoni.org>, mext <mext@ietf.org>
Subject: Re: [MEXT] [!! SPAM] Re: Well-known problem with authentication/etc. in wireless networks
X-BeenThere: mext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Mobile IPv6 EXTensions WG <mext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mext>, <mailto:mext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mext>
List-Post: <mailto:mext@ietf.org>
List-Help: <mailto:mext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Aug 2011 19:10:22 -0000

Hello Charlie,

Mutual authentication between the MN and the HA is only required at
binding creation to set-up the MIPv6 security association that is
keyed with the Home Address; the same security association is then
used to protect further binding updates. Thus there is no
serialization of authentication used for network access and MIPv6.

Whether or not network access authentication has to be repeated at
every attachment to a new network is also not a given. There are a
certain number of optimizations that avoid re-running full network
access authentication procedures.

In any case I would like to note that the issues in that space seems
to be not specific to MIPv6/MEXT and more appropriately belongs to
different fora, e.g., PANA for IETF-specified network access
authentication, the security area for what pertains to authentication
mechanism per se, or the SDO in charge of the specific underlying
technology encountering problem.

Let's try to focus discussions on this mailing lists to what we are
chartered to work on.

Regards,

--julien



On Mon, Aug 29, 2011 at 11:49 AM, Charles E. Perkins
<charliep@computer.org> wrote:
> Hello Hesham,
>
> On 8/27/2011 2:40 AM, Hesham Soliman wrote:
>
>> First, access authentication and HA auth are two
>> completely different issues for different purposes.
>
> That is highly debatable, and I certainly disagree that
> they are required to be completely separate.  Moreover,
> the authentication often relies on access to the same
> authentication server.  Doesn't sound completely separate
> to me!  Why is it good to enforce multiple round trips
> to bottleneck systems just to ask the same question
> multiple times?  Actually, I know the answer:
> "That's just how it's done".  Do you _really_ think
> that ought to be good enough?
>
> I think these serialized authentications are a major
> impediment to good performance, and that proper design
> would maintain robust security while enabling much
> better performance.  And, to reiterate, I strongly
> disagree that tunnel redirection is fundamentally
> required to be separated from establishing access
> to the wireless media.
>
> Do you agree that we should give up on single-radio?
>
> What about multi-radio devices with N interfaces?
> Should we just run all the network interfaces?
> Sounds bad to me.
>
>>                  Second, I don't think MIPv6 is not deployed
>> because it adds a one-off SA setup with the HA.
>
> The above authentications are not "one-off".  They happen
> at every new WiFi network, or more generally at every new
> point of attachment to a different radio access technology.
> I'm fine with setting up a SA with the home agent, but that's
> not the problem.
>
>> I wish that was the reason.
>
> Well, in your opinion what _is_ the reason?
>
> Regards,
> Charlie P.
>
>

v2.8.7 | Report a Bug | By Email