Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt

[Sri Gundavelli <sgundave@cisco.com>]

Hi Vijay,



On Mon, 16 Mar 2009, Vijay Devarapalli wrote:

> Hi Sri,
>
> Sri Gundavelli wrote:
>>
>>
>>  On Mon, 16 Mar 2009, Vijay Devarapalli wrote:
>> 
>> >  Sri Gundavelli wrote:
>> > > > > >   Does the LMA keep a list of MAGs that are authorized for
>> > > > >   sending bulk revocations? How is this list configured? In
>> > > > >   addition, I think this authorization step is unnecessary and
>> > > > >   should be removed.
>> > > > 
>> > > 
>> > >   Bulk revoc is a high security risk operation, requiring such
>> > >   authorization check will allow the system to build some
>> > >   configurability into the system.
>> > > 
>> > >   Even for a single binding, if you recall and as Ahmad pointed
>> > >   out, we do require this in 5213. We added this per IESG note.
>> > 
>> >  This authorization check was added in a very early version of the PMIPv6 
>> >  draft in response to a review from Lakshminath. Not due to the IESG. One 
>> >  of the options suggested was to have the LMA check if the MN is really 
>> >  attached to the MAG before allowing the MAG to create a binding for the 
>> >  mobile node. But this has nothing to do with the authorization check for 
>> >  bulk revocation.
>> >
>>
>>  No. That's not true. I've added this during the AD review. We may
>>  have discussed this earlier, but this specific authorzation check
>>  was added per the AD review. We may have discussed this very
>>  early and I remember that discussion as well.
>>
>>  http://www.ietf.org/mail-archive/web/netlmm/current/msg04144.html
>
> This is incorrect. draft-ietf-netlmm-proxymip6-00 that was submitted in April 
> 2007 had the following
>

We are not discussing about the check related to a MN attachment at
a given MAG. We are discussing about the LMA requiring to maintain
MAG authorization list, that's exactly Ahmad is talking about for
allowing/dis allowing Bulk Authorization list. How is this below check
relevant to this discussion ? The text I quoted with respect to MAG
authorization list was provided by our AD and thats what we have in
5213.


>    However, the local mobility anchor MUST allow only authorized mobile
>    access gateways to create binding cache entries on behalf of the
>    mobile nodes.  The actual mechanism by which the local mobility
>    anchor verifies if a specific mobile access gateway is authorized to
>    send Proxy Binding Updates on behalf of a mobile node is outside the
>    scope of this document.  One possible way this could be achieved is
>    sending a query to the policy store such as by using AAA
>    infrastrucure.
>
> See http://tools.ietf.org/html/draft-ietf-netlmm-proxymip6-00
>
> AD review happened in Jan 2008.
>

Right. The quoted text in Security considerations that was there
from very begining is not about MAG authorization list, thats for
the proof of MN attachment at a given MAG.


>> > >   Before the MAG can create a binding, the LMA is required to check
>> > >   if the given MAG is authorized to perform such an operation. The
>> > >   same goes for dereg, its enforced indirectly, there is a check
>> > >   for binding's Proxy-CoA to match the PBU's Proxy-CoA, before the
>> > >   dereg is allowed.
>> > 
>> >  When the MAG de-registers a mobile node's session, there is no 
>> >  authorization check. The LMA only makes sure that it the same MAG that 
>> >  is responsible for the binding.
>> >
>>  No, there is a indirect check. The MAG before deregistering,
>>  will match the Proxy-CoA in the request to that present in
>>  the binding. Prior to that BCE creation, the LMA allowed only
>>  a authorized MAG to create that binding. So, this check at dereg
>>  will indirectly enforce the same.
>
> This is NOT an indirect authorization check. As I have said in this thread 
> many times, the MAG that created the binding is allowed to delete the 
> binding. Simple. There is no authorization check when deleting the binding.
>

MAG created a single binding and can very well delete a single binding
by sending a single request. That did not provide an explicit right
to delete all 30,000 bindings in a single message. That request needs
to pass additional authorization, as that can impact many sessions.

> Sorry, I am not convinced that this authorization check is needed for bulk 
> revocation from the MAG.
>

Sorry, I'm not convinced with this argument either. I dont see a single
interop/implementation issue requring LMA maintain that list, 5213 already
maintains that list. If this is unnecessary in a given trusted secure 
network, one can very well relax that. But, from a protocol design
perspective, this needs to be specified. I agree with Ahmad.


Sri