IETF Logo Mail Archive

Re: [MEXT] [!! SPAM] Re: Well-known problem with authentication/etc. in wireless networks

Pete McCann <mccap@petoni.org> Thu, 25 August 2011 19:54 UTC

Return-Path: <mccap@petoni.org>
X-Original-To: mext@ietfa.amsl.com
Delivered-To: mext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78C9B21F8B79 for <mext@ietfa.amsl.com>; Thu, 25 Aug 2011 12:54:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6DvdItEbCYbG for <mext@ietfa.amsl.com>; Thu, 25 Aug 2011 12:54:58 -0700 (PDT)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by ietfa.amsl.com (Postfix) with ESMTP id 2287021F8C50 for <mext@ietf.org>; Thu, 25 Aug 2011 12:54:57 -0700 (PDT)
Received: by fxe6 with SMTP id 6so2235716fxe.31 for <mext@ietf.org>; Thu, 25 Aug 2011 12:56:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=petoni.org; s=google; h=mime-version:x-originating-ip:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=LZ78KwZ9uozE6SmrUnY/DPkYwVwD76hLRdgr0uRQYsM=; b=Ag5Rod2/2pfAx9bRY671f93IIyk3Mg7RCWEhFgNvbOtkrph2Y3pZ3T1hGrhfJr97DE bGluZjfFqn6HdqqerHTUIswembu/ycJqo4BcBNxU8oEZXWGsM7n/IDDhWHq4d1jK4rWP QAuGLcMDlemJl4Fgtm8m9eLMF66kVXHLvddOk=
MIME-Version: 1.0
Received: by 10.223.35.210 with SMTP id q18mr179384fad.148.1314302083701; Thu, 25 Aug 2011 12:54:43 -0700 (PDT)
Received: by 10.223.144.143 with HTTP; Thu, 25 Aug 2011 12:54:43 -0700 (PDT)
X-Originating-IP: [4.28.5.163]
In-Reply-To: <4E56A052.1000604@computer.org>
References: <4E554BAA.9080409@computer.org> <CAE_dhjtz5ue1noQwzb5gcCFa1gq_4EY-hxMhQRL07JAQNZq3bg@mail.gmail.com> <CACvMsLEgYZ+z05x9O978OuRG+fn=EqspPxjiBfV5VB2UvS0wWg@mail.gmail.com> <4E56A052.1000604@computer.org>
Date: Thu, 25 Aug 2011 15:54:43 -0400
Message-ID: <CACvMsLHnBrOyfcy62ncxidenfC6KsqmhEHvikFLSx4WDNVJcfQ@mail.gmail.com>
From: Pete McCann <mccap@petoni.org>
To: charliep@computer.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: mext <mext@ietf.org>
Subject: Re: [MEXT] [!! SPAM] Re: Well-known problem with authentication/etc. in wireless networks
X-BeenThere: mext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Mobile IPv6 EXTensions WG <mext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mext>, <mailto:mext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mext>
List-Post: <mailto:mext@ietf.org>
List-Help: <mailto:mext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Aug 2011 19:54:59 -0000

Hi, Charlie,

The problem seems to be we have the following three steps that have
to be carried out in order:

1) access authentication
2) address assignment
3) mobility management

(3) depends on (2) because you can't bind your home address to a
care-of address until you have a care-of address.  (2) depends on (1)
because operators don't like to give out resources until they know they
will get paid.

It's possible to combine all these things into one protocol (perhaps PANA
could have been that vehicle, if certain decisions had not been made) but
the IETF seems to like breaking problems down into layered solutions.

-Pete

On Thu, Aug 25, 2011 at 3:19 PM, Charles E. Perkins
<charliep@computer.org> wrote:
> Hello Pete,
>
> Yes, putting Mobile IP inside of EAP would be one approach.
> It would have some interesting advantages.  Other approaches
> might be more properly done in [netext] -- or perhaps have
> already been looked; I could have possibly missed some of
> the relevant discussion there.
>
> Regards,
> Charlie P.
>
>
>
> On 8/25/2011 11:40 AM, Pete McCann wrote:
>>
>> Hi, Julien,
>>
>> Are you talking about EAP inside IKEv2?  That presupposes that the MN
>> is already attached to the network somewhere and has an IP address (i.e.,
>> it has already passed access authentication).
>>
>> It may be interesting to look at whether access authentication and
>> mobility
>> management can be combined.  For example, we could put Mobile IP (or
>> some variant of it) inside an EAP exchange used for access authentication.
>> Charlie, are you proposing something like this?
>>
>> -Pete
>>
>> On Thu, Aug 25, 2011 at 1:44 PM, Julien Laganier<julien.ietf@gmail.com>
>>  wrote:
>>>
>>> Charlie,
>>>
>>> I am not sure I understand what is missing in MIPv6; a MN and an HA
>>> can already mutually authenticate using EAP, and this is incidentally
>>> what 3GPP leverages on, together with the EAP-AKA method. What is
>>> missing?
>>>
>>> --julien
>>>
>>> On Wed, Aug 24, 2011 at 12:06 PM, Charles E. Perkins
>>> <charliep@computer.org>  wrote:
>>>>
>>>> Hello folks,
>>>>
>>>> It's now 2011.  Mobile IP was standardized late in
>>>> 1996, after work had already been started nearly
>>>> ten years before.  Over two decades! -- and regardless
>>>> of lip service to fixed/mobile convergence we still
>>>> don't have seamless mobility in user devices across
>>>> heterogeneous media, and standards organizations
>>>> (notably 3GPP) are not properly taking advantage of
>>>> what Mobile IP can do. The losers are the end-users,
>>>> which means all of us.
>>>>
>>>> There are many reasons for this, but one of the
>>>> main reasons has to do with authentication at the
>>>> access network.  EAP in various forms is being
>>>> utilized for this purpose, and Mobile IP is not,
>>>> even though there has never been any reported
>>>> failure of the RFC 5944 or RFC 4285 or RFC 6275
>>>> (to my knowledge).  Moreover, unless there is
>>>> something wrong with the cryptography that also
>>>> has not been reported, these authentication methods
>>>> enable _mutual_ authentication between the network
>>>> and the client, not just client authentication.
>>>>
>>>> In order for Mobile IP to enable the real promise
>>>> of high performance heterogeneous networking, we
>>>> have to do some more work.  I would like to initiate
>>>> some more discussion about this.  DMM is interesting
>>>> in its own right, but it's not at all the whole
>>>> story.  Moreover, with proper design, it is likely
>>>> the supposed burden of signaling to the home agent
>>>> can be substantially reduced.  As one simple example,
>>>> if handovers are accomplished locally between trusted
>>>> access agents (routers, 802.11 access controllers, ...)
>>>> then the actual timing of tunnel redirection from the
>>>> home agent becomes much less critical.  This is also
>>>> intricately intertwined with authentication.
>>>>
>>>> If the Home Agent were recognized as a robust security
>>>> appliance, then it could naturally sit on the network
>>>> boundary as an IP-addressable device.  Mobile IP
>>>> authentication could become the primary means of
>>>> validating user access, instead of an afterthought
>>>> to enable IP-address preservation after all the heavy
>>>> lifting has been done a lower levels.
>>>>
>>>> I would like to propose that in this working group we
>>>> should go about making this happen.  It seems to be
>>>> important, and undeniably aligned with our working
>>>> group responsibilities.
>>>>
>>>> Regards,
>>>> Charlie P.
>>>>
>>>>
>>>> _______________________________________________
>>>> MEXT mailing list
>>>> MEXT@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/mext
>>>>
>>> _______________________________________________
>>> MEXT mailing list
>>> MEXT@ietf.org
>>> https://www.ietf.org/mailman/listinfo/mext
>>>
>>
>
>

v2.8.7 | Report a Bug | By Email