Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
Sri Gundavelli <sgundave@cisco.com> Tue, 17 March 2009 01:47 UTC
Return-Path: <sgundave@cisco.com>
X-Original-To: mext@core3.amsl.com
Delivered-To: mext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 545523A67B4; Mon, 16 Mar 2009 18:47:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.54
X-Spam-Level:
X-Spam-Status: No, score=-6.54 tagged_above=-999 required=5 tests=[AWL=0.060, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WbR1NvlPTkIK; Mon, 16 Mar 2009 18:47:54 -0700 (PDT)
Received: from sj-iport-1.cisco.com (sj-iport-1.cisco.com [171.71.176.70]) by core3.amsl.com (Postfix) with ESMTP id 5506C3A6452; Mon, 16 Mar 2009 18:47:54 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.38,375,1233532800"; d="scan'208";a="156736002"
Received: from sj-dkim-3.cisco.com ([171.71.179.195]) by sj-iport-1.cisco.com with ESMTP; 17 Mar 2009 01:48:37 +0000
Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-3.cisco.com (8.12.11/8.12.11) with ESMTP id n2H1mblt007106; Mon, 16 Mar 2009 18:48:37 -0700
Received: from irp-view13.cisco.com (irp-view13.cisco.com [171.70.120.60]) by sj-core-5.cisco.com (8.13.8/8.13.8) with ESMTP id n2H1ma0x013586; Tue, 17 Mar 2009 01:48:36 GMT
Date: Mon, 16 Mar 2009 18:48:36 -0700
From: Sri Gundavelli <sgundave@cisco.com>
To: Vijay Devarapalli <vijay@wichorus.com>
In-Reply-To: <49BEFD9B.2030804@wichorus.com>
Message-ID: <Pine.GSO.4.63.0903161836090.15260@irp-view13.cisco.com>
References: <C5A96676FCD00745B64AE42D5FCC9B6E1D96E117@zrc2hxm0.corp.nortel.com> <C5DCA6D2.5751%vijay@wichorus.com> <C5A96676FCD00745B64AE42D5FCC9B6E1D9BFA98@zrc2hxm0.corp.nortel.com> <49B824C1.1090504@wichorus.com> <C5A96676FCD00745B64AE42D5FCC9B6E1DA44418@zrc2hxm0.corp.nortel.com> <49B98649.4090606@wichorus.com> <C5A96676FCD00745B64AE42D5FCC9B6E1DA4457E@zrc2hxm0.corp.nortel.com> <49B99392.5030507@wichorus.com> <C5A96676FCD00745B64AE42D5FCC9B6E1DA44711@zrc2hxm0.corp.nortel.com> <49B9AD1C.7080703@wichorus.com> <C5A96676FCD00745B64AE42D5FCC9B6E1DA44982@zrc2hxm0.corp.nortel.com> <Pine.GSO.4.63.0903131052260.3061@sgundave-sb100.cisco.com> <49BEF3A6.4030207@wichorus.com> <Pine.GSO.4.63.0903161814410.15260@irp-view13.cisco.com> <49BEFD9B.2030804@wichorus.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=4768; t=1237254517; x=1238118517; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=sgundave@cisco.com; z=From:=20Sri=20Gundavelli=20<sgundave@cisco.com> |Subject:=20Re=3A=20[MEXT]=20Review=20of=20draft-ietf-mext- binding-revocation-03.txt |Sender:=20; bh=CLvuiVHWgIfBu8Y/H/mNRZ/si3gEhgqEuNN1fxNu7a4=; b=QiMzVoB1rFGdbKkjrSrYSV3fwtw3s/kOYPrJT4rv07ifrwGQ2Vcn7LmCK4 TXWEcemjcKTgKaFwhaXQXx0tuw3TM2C7wZvmZUIiaFxRfbqIdVPwo0BwS+gK tyVZaAdgXC;
Authentication-Results: sj-dkim-3; header.From=sgundave@cisco.com; dkim=pass ( sig from cisco.com/sjdkim3002 verified; );
Cc: netlmm@ietf.org, Julien Laganier <julien.IETF@laposte.net>, mext <mext@ietf.org>
Subject: Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
X-BeenThere: mext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Mobile IPv6 EXTensions WG <mext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mext>
List-Post: <mailto:mext@ietf.org>
List-Help: <mailto:mext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Mar 2009 01:47:55 -0000
Hi Vijay, On Mon, 16 Mar 2009, Vijay Devarapalli wrote: > Hi Sri, > > Sri Gundavelli wrote: >> >> >> On Mon, 16 Mar 2009, Vijay Devarapalli wrote: >> >> > Sri Gundavelli wrote: >> > > > > > Does the LMA keep a list of MAGs that are authorized for >> > > > > sending bulk revocations? How is this list configured? In >> > > > > addition, I think this authorization step is unnecessary and >> > > > > should be removed. >> > > > >> > > >> > > Bulk revoc is a high security risk operation, requiring such >> > > authorization check will allow the system to build some >> > > configurability into the system. >> > > >> > > Even for a single binding, if you recall and as Ahmad pointed >> > > out, we do require this in 5213. We added this per IESG note. >> > >> > This authorization check was added in a very early version of the PMIPv6 >> > draft in response to a review from Lakshminath. Not due to the IESG. One >> > of the options suggested was to have the LMA check if the MN is really >> > attached to the MAG before allowing the MAG to create a binding for the >> > mobile node. But this has nothing to do with the authorization check for >> > bulk revocation. >> > >> >> No. That's not true. I've added this during the AD review. We may >> have discussed this earlier, but this specific authorzation check >> was added per the AD review. We may have discussed this very >> early and I remember that discussion as well. >> >> http://www.ietf.org/mail-archive/web/netlmm/current/msg04144.html > > This is incorrect. draft-ietf-netlmm-proxymip6-00 that was submitted in April > 2007 had the following > We are not discussing about the check related to a MN attachment at a given MAG. We are discussing about the LMA requiring to maintain MAG authorization list, that's exactly Ahmad is talking about for allowing/dis allowing Bulk Authorization list. How is this below check relevant to this discussion ? The text I quoted with respect to MAG authorization list was provided by our AD and thats what we have in 5213. > However, the local mobility anchor MUST allow only authorized mobile > access gateways to create binding cache entries on behalf of the > mobile nodes. The actual mechanism by which the local mobility > anchor verifies if a specific mobile access gateway is authorized to > send Proxy Binding Updates on behalf of a mobile node is outside the > scope of this document. One possible way this could be achieved is > sending a query to the policy store such as by using AAA > infrastrucure. > > See http://tools.ietf.org/html/draft-ietf-netlmm-proxymip6-00 > > AD review happened in Jan 2008. > Right. The quoted text in Security considerations that was there from very begining is not about MAG authorization list, thats for the proof of MN attachment at a given MAG. >> > > Before the MAG can create a binding, the LMA is required to check >> > > if the given MAG is authorized to perform such an operation. The >> > > same goes for dereg, its enforced indirectly, there is a check >> > > for binding's Proxy-CoA to match the PBU's Proxy-CoA, before the >> > > dereg is allowed. >> > >> > When the MAG de-registers a mobile node's session, there is no >> > authorization check. The LMA only makes sure that it the same MAG that >> > is responsible for the binding. >> > >> No, there is a indirect check. The MAG before deregistering, >> will match the Proxy-CoA in the request to that present in >> the binding. Prior to that BCE creation, the LMA allowed only >> a authorized MAG to create that binding. So, this check at dereg >> will indirectly enforce the same. > > This is NOT an indirect authorization check. As I have said in this thread > many times, the MAG that created the binding is allowed to delete the > binding. Simple. There is no authorization check when deleting the binding. > MAG created a single binding and can very well delete a single binding by sending a single request. That did not provide an explicit right to delete all 30,000 bindings in a single message. That request needs to pass additional authorization, as that can impact many sessions. > Sorry, I am not convinced that this authorization check is needed for bulk > revocation from the MAG. > Sorry, I'm not convinced with this argument either. I dont see a single interop/implementation issue requring LMA maintain that list, 5213 already maintains that list. If this is unnecessary in a given trusted secure network, one can very well relax that. But, from a protocol design perspective, this needs to be specified. I agree with Ahmad. Sri
- [MEXT] Review of draft-ietf-mext-binding-revocati… Vijay Devarapalli
- Re: [MEXT] Review of draft-ietf-mext-binding-revo… Ahmad Muhanna
- Re: [MEXT] Review of draft-ietf-mext-binding-revo… Ahmad Muhanna
- Re: [MEXT] Review of draft-ietf-mext-binding-revo… Vijay Devarapalli
- Re: [MEXT] Review of draft-ietf-mext-binding-revo… Ahmad Muhanna
- Re: [MEXT] Review of draft-ietf-mext-binding-revo… Vijay Devarapalli
- Re: [MEXT] Review of draft-ietf-mext-binding-revo… Ahmad Muhanna
- Re: [MEXT] Review of draft-ietf-mext-binding-revo… Vijay Devarapalli
- Re: [MEXT] Review of draft-ietf-mext-binding-revo… Ahmad Muhanna
- Re: [MEXT] Review of draft-ietf-mext-binding-revo… Vijay Devarapalli
- Re: [MEXT] Review of draft-ietf-mext-binding-revo… Ahmad Muhanna
- Re: [MEXT] Review of draft-ietf-mext-binding-revo… Ahmad Muhanna
- Re: [MEXT] Review of draft-ietf-mext-binding-revo… Vijay Devarapalli
- Re: [MEXT] Review of draft-ietf-mext-binding-revo… Ahmad Muhanna
- Re: [MEXT] Review of draft-ietf-mext-binding-revo… Joel Hortelius
- Re: [MEXT] [netlmm] Review ofdraft-ietf-mext-bind… Vijay Devarapalli
- Re: [MEXT] Review of draft-ietf-mext-binding-revo… Ahmad Muhanna
- Re: [MEXT] Review of draft-ietf-mext-binding-revo… Sri Gundavelli
- Re: [MEXT] Review of draft-ietf-mext-binding-revo… Qin Wu
- Re: [MEXT] Review of draft-ietf-mext-binding-revo… Ahmad Muhanna
- Re: [MEXT] Review of draft-ietf-mext-binding-revo… Qin Wu
- Re: [MEXT] Review of draft-ietf-mext-binding-revo… Ahmad Muhanna
- Re: [MEXT] Review of draft-ietf-mext-binding-revo… Vijay Devarapalli
- Re: [MEXT] Review of draft-ietf-mext-binding-revo… Sri Gundavelli
- Re: [MEXT] Review of draft-ietf-mext-binding-revo… Vijay Devarapalli
- Re: [MEXT] Review of draft-ietf-mext-binding-revo… Sri Gundavelli
- Re: [MEXT] Review of draft-ietf-mext-binding-revo… Yungui Wang
- Re: [MEXT] Review of draft-ietf-mext-binding-revo… Ahmad Muhanna
- Re: [MEXT] Review of draft-ietf-mext-binding-revo… Sri Gundavelli
- Re: [MEXT] Review of draft-ietf-mext-binding-revo… Yungui Wang