IETF Logo Mail Archive

Re: [MEXT] [!! SPAM] Re: Well-known problem with authentication/etc. in wireless networks

"Charles E. Perkins" <charliep@computer.org> Thu, 25 August 2011 19:18 UTC

Return-Path: <charliep@computer.org>
X-Original-To: mext@ietfa.amsl.com
Delivered-To: mext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9B2221F8BA2 for <mext@ietfa.amsl.com>; Thu, 25 Aug 2011 12:18:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a8tien1Ecov4 for <mext@ietfa.amsl.com>; Thu, 25 Aug 2011 12:18:35 -0700 (PDT)
Received: from elasmtp-curtail.atl.sa.earthlink.net (elasmtp-curtail.atl.sa.earthlink.net [209.86.89.64]) by ietfa.amsl.com (Postfix) with ESMTP id 079C321F8B98 for <mext@ietf.org>; Thu, 25 Aug 2011 12:18:35 -0700 (PDT)
Received: from [138.111.58.2] (helo=[172.17.96.89]) by elasmtp-curtail.atl.sa.earthlink.net with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.67) (envelope-from <charliep@computer.org>) id 1QwfSu-00026l-Fl; Thu, 25 Aug 2011 15:19:48 -0400
Message-ID: <4E56A052.1000604@computer.org>
Date: Thu, 25 Aug 2011 12:19:46 -0700
From: "Charles E. Perkins" <charliep@computer.org>
Organization: Wichorus Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0) Gecko/20110812 Thunderbird/6.0
MIME-Version: 1.0
To: Pete McCann <mccap@petoni.org>
References: <4E554BAA.9080409@computer.org><CAE_dhjtz5ue1noQwzb5gcCFa1gq_4EY-hxMhQRL07JAQNZq3bg@mail.gmail.com> <CACvMsLEgYZ+z05x9O978OuRG+fn=EqspPxjiBfV5VB2UvS0wWg@mail.gmail.com>
In-Reply-To: <CACvMsLEgYZ+z05x9O978OuRG+fn=EqspPxjiBfV5VB2UvS0wWg@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-ELNK-Trace: 137d7d78656ed6919973fd6a8f21c4f2d780f4a490ca6956d5d4673fe7faad86548192237726173f06ee375395b3594c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 138.111.58.2
Cc: mext <mext@ietf.org>
Subject: Re: [MEXT] [!! SPAM] Re: Well-known problem with authentication/etc. in wireless networks
X-BeenThere: mext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: charliep@computer.org
List-Id: Mobile IPv6 EXTensions WG <mext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mext>, <mailto:mext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mext>
List-Post: <mailto:mext@ietf.org>
List-Help: <mailto:mext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Aug 2011 19:18:35 -0000

Hello Pete,

Yes, putting Mobile IP inside of EAP would be one approach.
It would have some interesting advantages.  Other approaches
might be more properly done in [netext] -- or perhaps have
already been looked; I could have possibly missed some of
the relevant discussion there.

Regards,
Charlie P.



On 8/25/2011 11:40 AM, Pete McCann wrote:
> Hi, Julien,
>
> Are you talking about EAP inside IKEv2?  That presupposes that the MN
> is already attached to the network somewhere and has an IP address (i.e.,
> it has already passed access authentication).
>
> It may be interesting to look at whether access authentication and mobility
> management can be combined.  For example, we could put Mobile IP (or
> some variant of it) inside an EAP exchange used for access authentication.
> Charlie, are you proposing something like this?
>
> -Pete
>
> On Thu, Aug 25, 2011 at 1:44 PM, Julien Laganier<julien.ietf@gmail.com>  wrote:
>> Charlie,
>>
>> I am not sure I understand what is missing in MIPv6; a MN and an HA
>> can already mutually authenticate using EAP, and this is incidentally
>> what 3GPP leverages on, together with the EAP-AKA method. What is
>> missing?
>>
>> --julien
>>
>> On Wed, Aug 24, 2011 at 12:06 PM, Charles E. Perkins
>> <charliep@computer.org>  wrote:
>>>
>>> Hello folks,
>>>
>>> It's now 2011.  Mobile IP was standardized late in
>>> 1996, after work had already been started nearly
>>> ten years before.  Over two decades! -- and regardless
>>> of lip service to fixed/mobile convergence we still
>>> don't have seamless mobility in user devices across
>>> heterogeneous media, and standards organizations
>>> (notably 3GPP) are not properly taking advantage of
>>> what Mobile IP can do. The losers are the end-users,
>>> which means all of us.
>>>
>>> There are many reasons for this, but one of the
>>> main reasons has to do with authentication at the
>>> access network.  EAP in various forms is being
>>> utilized for this purpose, and Mobile IP is not,
>>> even though there has never been any reported
>>> failure of the RFC 5944 or RFC 4285 or RFC 6275
>>> (to my knowledge).  Moreover, unless there is
>>> something wrong with the cryptography that also
>>> has not been reported, these authentication methods
>>> enable _mutual_ authentication between the network
>>> and the client, not just client authentication.
>>>
>>> In order for Mobile IP to enable the real promise
>>> of high performance heterogeneous networking, we
>>> have to do some more work.  I would like to initiate
>>> some more discussion about this.  DMM is interesting
>>> in its own right, but it's not at all the whole
>>> story.  Moreover, with proper design, it is likely
>>> the supposed burden of signaling to the home agent
>>> can be substantially reduced.  As one simple example,
>>> if handovers are accomplished locally between trusted
>>> access agents (routers, 802.11 access controllers, ...)
>>> then the actual timing of tunnel redirection from the
>>> home agent becomes much less critical.  This is also
>>> intricately intertwined with authentication.
>>>
>>> If the Home Agent were recognized as a robust security
>>> appliance, then it could naturally sit on the network
>>> boundary as an IP-addressable device.  Mobile IP
>>> authentication could become the primary means of
>>> validating user access, instead of an afterthought
>>> to enable IP-address preservation after all the heavy
>>> lifting has been done a lower levels.
>>>
>>> I would like to propose that in this working group we
>>> should go about making this happen.  It seems to be
>>> important, and undeniably aligned with our working
>>> group responsibilities.
>>>
>>> Regards,
>>> Charlie P.
>>>
>>>
>>> _______________________________________________
>>> MEXT mailing list
>>> MEXT@ietf.org
>>> https://www.ietf.org/mailman/listinfo/mext
>>>
>> _______________________________________________
>> MEXT mailing list
>> MEXT@ietf.org
>> https://www.ietf.org/mailman/listinfo/mext
>>
>

v2.8.7 | Report a Bug | By Email