IETF Logo Mail Archive

Re: [MEXT] review of draft-bajko-mext-sod-01

jouni korhonen <jouni.nospam@gmail.com> Wed, 09 February 2011 22:22 UTC

Return-Path: <jouni.nospam@gmail.com>
X-Original-To: mext@core3.amsl.com
Delivered-To: mext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CA9D33A67CF for <mext@core3.amsl.com>; Wed, 9 Feb 2011 14:22:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xGFwKW4Yetod for <mext@core3.amsl.com>; Wed, 9 Feb 2011 14:22:48 -0800 (PST)
Received: from mail-bw0-f44.google.com (mail-bw0-f44.google.com [209.85.214.44]) by core3.amsl.com (Postfix) with ESMTP id A66F43A67A7 for <mext@ietf.org>; Wed, 9 Feb 2011 14:22:47 -0800 (PST)
Received: by bwz12 with SMTP id 12so1589624bwz.31 for <mext@ietf.org>; Wed, 09 Feb 2011 14:22:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:subject:mime-version:content-type:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to:x-mailer; bh=Ywt02BBcmN691rVfk+6F5uoms/MF6Z3QmoHJrH7PpBg=; b=PAluH7rfnXU5PaL9PaxHVxONKv/cNT6Xm6S9Ylfw04ue9IJKcFFGfr+y97V3eBinrE 5YEk68L16Dwa4ygvEtNSPcbyhuS4oh4p27/OnIX2zzYgjcI7DNoVDkqHnqdZECXyNo2u PaNediE4EbeioCDALlsySulRt/uWkWIKylh6M=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; b=KcrIW1HibbV6qsGHjaUFeumMIAPHPVZiaX7HOpwJPiqnsN1S4661njDgefYqseDtoi gIKz091jiPZ9sptUYayHqRmnFUXpA0oqjJ4ZCqMfbUneJsr3d49/nUkgoA7uG9/ZsPK8 GL1epEDfOHzKcGHs18qLc65foTHUSUrx9RhGI=
Received: by 10.204.117.10 with SMTP id o10mr20086929bkq.10.1297290177549; Wed, 09 Feb 2011 14:22:57 -0800 (PST)
Received: from a88-112-143-79.elisa-laajakaista.fi (a88-112-143-79.elisa-laajakaista.fi [88.112.143.79]) by mx.google.com with ESMTPS id v1sm551324bkt.5.2011.02.09.14.22.55 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 09 Feb 2011 14:22:56 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1078)
Content-Type: text/plain; charset=us-ascii
From: jouni korhonen <jouni.nospam@gmail.com>
In-Reply-To: <AANLkTikQsb0xwnrG5qxCJ4RV45_tD6tuy0ndHdnPcnro@mail.gmail.com>
Date: Thu, 10 Feb 2011 00:22:54 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <40F7FF8A-2462-4FFC-A77A-D528DC1FD7D0@gmail.com>
References: <5ECC386B-CD36-45AE-943D-01F39264242D@gmail.com> <AANLkTikQsb0xwnrG5qxCJ4RV45_tD6tuy0ndHdnPcnro@mail.gmail.com>
To: Julien Laganier <julien.ietf@gmail.com>
X-Mailer: Apple Mail (2.1078)
Cc: draft-bajko-mext-sod@tools.ietf.org, mext@ietf.org
Subject: Re: [MEXT] review of draft-bajko-mext-sod-01
X-BeenThere: mext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Mobile IPv6 EXTensions WG <mext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mext>
List-Post: <mailto:mext@ietf.org>
List-Help: <mailto:mext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Feb 2011 22:22:48 -0000

Julien,

On Feb 9, 2011, at 11:53 PM, Julien Laganier wrote:

> Jouni -
> 
> Thanks for the review!
> 
> Please see some comments below:
>> 
>> * Section 1
>> 
>>   As per the current MIP6 [RFC3775] specification, only the MN has the
>>   ability to enable security for user-plane traffic. The HA has no
>>   ability to force the MN to secure user traffic.
>> 
>> Strictly based on rfc3775 yes. However, if IKE is used as the key management protocol, then it is possible to have some level of security level negotiation between the MN and the HA. That approach would not be as dynamic as proposed in the I-D but still..
> 
> My understanding of IKE is that although it can be used to update the
> SPD,  changing the fundamentals of a bypass or protect rules that
> applies to user plane traffic wouldn't  fall in the scope of IKE --
> see quote from RFC 5996:

I should have written my thoughts clearer. What I meant here is that a MN and a HA may have a bunch of proposals to agree on. The MN and the HA can agree on a transform that provides no encryption. And this is essentially for the HA to enforce. I know it is somewhat far fetched but doable to some extent.

- JOuni


> 
>   When an RFC4301-compliant IPsec subsystem receives an IP packet that
>   matches a "protect" selector in its Security Policy Database (SPD),
>   the subsystem protects that packet with IPsec.  When no SA exists
>   yet, it is the task of IKE to create it.  Maintenance of a system's
>   SPD is outside the scope of IKE, although some implementations might
>   update their SPD in connection with the running of IKE (for an
>   example scenario, see Section 1.1.3).
> 
>   Traffic Selector (TS) payloads allow endpoints to communicate some of
>   the information from their SPD to their peers.  These must be
>   communicated to IKE from the SPD (for example, the PF_KEY API [PFKEY]
>   uses the SADB_ACQUIRE message).  TS payloads specify the selection
>   criteria for packets that will be forwarded over the newly set up SA.
>   This can serve as a consistency check in some scenarios to assure
>   that the SPDs are consistent.  In others, it guides the dynamic
>   update of the SPD.
> 
> Would you disagree?
>

v2.8.7 | Report a Bug | By Email