Re: [MEXT] review of draft-bajko-mext-sod-01
jouni korhonen <jouni.nospam@gmail.com> Wed, 09 February 2011 22:55 UTC
Return-Path: <jouni.nospam@gmail.com>
X-Original-To: mext@core3.amsl.com
Delivered-To: mext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 748DF3A67F3 for <mext@core3.amsl.com>;
Wed, 9 Feb 2011 14:55:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5
tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 50y+cOv77o7x for
<mext@core3.amsl.com>; Wed, 9 Feb 2011 14:55:54 -0800 (PST)
Received: from mail-bw0-f44.google.com (mail-bw0-f44.google.com
[209.85.214.44]) by core3.amsl.com (Postfix) with ESMTP id DAC773A672E for
<mext@ietf.org>; Wed, 9 Feb 2011 14:55:53 -0800 (PST)
Received: by bwz12 with SMTP id 12so1619666bwz.31 for <mext@ietf.org>;
Wed, 09 Feb 2011 14:56:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
h=domainkey-signature:subject:mime-version:content-type:from
:in-reply-to:date:cc:content-transfer-encoding:message-id:references
:to:x-mailer; bh=MVcpSXwZF2vPeHIYwgXf3EdCHnDgmZvl5YBQnoaE5E4=;
b=atJdz1Xd4kdeNh3ioDsEw0AjmjnRE2VTvJ9OVlXtEP4Qo745HyYTtu1Rn1JXio0Dfu
BuZ7HSVFttGnu2PlWBtKshngKBndEOoBBy3Ierwsd+n911YC4mM5GAk+egNkQ/hHvNgi
wKnKewAiwunk/X3DIj1xZ8TOEXMYtPbiHHp5s=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
h=subject:mime-version:content-type:from:in-reply-to:date:cc
:content-transfer-encoding:message-id:references:to:x-mailer;
b=bFXbD1gvmHb9nH60K5j2uJnwAVRjYAj5ewi7o+7c2Sc5EO8nVxU7Q9qafb9oRsB9go
/yFmYLWULpQlYx8UN9HOhwVI+4bZ3bH3dRD0O4JOEEqYeXCyaK36gajRZyaAIrNDvd17
WloiP10OPpbKvKeBVEPqiPjP9Yf6EJUPVqMJE=
Received: by 10.204.100.82 with SMTP id x18mr1034024bkn.20.1297292163729;
Wed, 09 Feb 2011 14:56:03 -0800 (PST)
Received: from a88-112-143-79.elisa-laajakaista.fi
(a88-112-143-79.elisa-laajakaista.fi [88.112.143.79]) by mx.google.com with
ESMTPS id z18sm564791bkf.20.2011.02.09.14.56.02 (version=TLSv1/SSLv3
cipher=RC4-MD5); Wed, 09 Feb 2011 14:56:03 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1078)
Content-Type: text/plain; charset=us-ascii
From: jouni korhonen <jouni.nospam@gmail.com>
In-Reply-To: <AANLkTinq8ThwA8-tW0viifxbMOLkia7aQkAuHK_RnJd7@mail.gmail.com>
Date: Thu, 10 Feb 2011 00:56:02 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <23F651D0-DADF-44DD-860D-D8ED773C5044@gmail.com>
References: <5ECC386B-CD36-45AE-943D-01F39264242D@gmail.com>
<AANLkTikQsb0xwnrG5qxCJ4RV45_tD6tuy0ndHdnPcnro@mail.gmail.com>
<40F7FF8A-2462-4FFC-A77A-D528DC1FD7D0@gmail.com>
<AANLkTinq8ThwA8-tW0viifxbMOLkia7aQkAuHK_RnJd7@mail.gmail.com>
To: Julien Laganier <julien.ietf@gmail.com>
X-Mailer: Apple Mail (2.1078)
Cc: draft-bajko-mext-sod@tools.ietf.org, mext@ietf.org
Subject: Re: [MEXT] review of draft-bajko-mext-sod-01
X-BeenThere: mext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Mobile IPv6 EXTensions WG <mext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/mext>,
<mailto:mext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mext>
List-Post: <mailto:mext@ietf.org>
List-Help: <mailto:mext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mext>,
<mailto:mext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Feb 2011 22:55:55 -0000
Hi again, GOTO the end of mail. On Feb 10, 2011, at 12:36 AM, Julien Laganier wrote: > Jouni, > > On Wed, Feb 9, 2011 at 2:22 PM, jouni korhonen <jouni.nospam@gmail.com> wrote: >> Julien, >> >> On Feb 9, 2011, at 11:53 PM, Julien Laganier wrote: >> >>> Jouni - >>> >>> Thanks for the review! >>> >>> Please see some comments below: >>>> >>>> * Section 1 >>>> >>>> As per the current MIP6 [RFC3775] specification, only the MN has the >>>> ability to enable security for user-plane traffic. The HA has no >>>> ability to force the MN to secure user traffic. >>>> >>>> Strictly based on rfc3775 yes. However, if IKE is used as the key management protocol, then it is possible to have some level of security level negotiation between the MN and the HA. That approach would not be as dynamic as proposed in the I-D but still.. >>> >>> My understanding of IKE is that although it can be used to update the >>> SPD, changing the fundamentals of a bypass or protect rules that >>> applies to user plane traffic wouldn't fall in the scope of IKE -- >>> see quote from RFC 5996: >> >> I should have written my thoughts clearer. What I meant here is that a MN and a HA may have a bunch of proposals to agree on. The MN and the HA can agree on a transform that provides no encryption. And this is essentially for the HA to enforce. I know it is somewhat far fetched but doable to some extent. > > Hmm. If for a single MN-HA pair there might be situations in which > confidentiality protection is to be afforded and other in which it is > not, the SPD will have to be modified. Quoting RFC 4301: > > o Processing info -- which action is required -- PROTECT, > BYPASS, or DISCARD. There is just one action that goes > with all the selector sets, not a separate action for each > set. If the required processing is PROTECT, the entry > contains the following information. > [...] > - algorithms -- which ones to use for AH, which ones to > use for ESP, which ones to use for combined mode, > ordered by decreasing priority > > Would it be correct to interpret your statement as having on the HA a > PROTECT rule with algorithms as follows and in that order: > > AES_CBC + HMAC-SHA1-96 followed by HMAC-SHA1-96 > > would allow the the MN to negotiate Confidentiality protection and > Integrity Protection vs. Integrity protection only by changing its > local SPD only to contain either AES_CBC + HMAC-SHA1-96 > (Confidentiality protection and Integrity Protection) or HMAC-SHA1-96 > (Intergrity protection only) and thus no MIPv6 signaling extension is > needed in this case because IKE would do the job? > > I'd agree. > > However, the SPD would have to be modified in case the userplane is to > be passed cleartext, and that means the HA SPD has to say BYPASS, and > IKE doen't allow to negotiate this. > > Comments? My original comment was to point out that the statement "The HA has no ability to force the MN to secure user traffic." is not so black and white in all cases. Using IKE definitely is not as slick as the solution proposed in the I-D. I am completely happy if the earlier statement is modified e.g. "The HA has limited abilities, if any, to force the MN to secure user traffic." And the probably referencing to RFC4877. - JOuni > > --julien
- [MEXT] review of draft-bajko-mext-sod-01 jouni korhonen
- Re: [MEXT] review of draft-bajko-mext-sod-01 Julien Laganier
- Re: [MEXT] review of draft-bajko-mext-sod-01 Basavaraj.Patil
- Re: [MEXT] review of draft-bajko-mext-sod-01 jouni korhonen
- Re: [MEXT] review of draft-bajko-mext-sod-01 Julien Laganier
- [MEXT] review of draft-bajko-mext-sod-01 Stefano Faccin
- Re: [MEXT] review of draft-bajko-mext-sod-01 jouni korhonen
- Re: [MEXT] review of draft-bajko-mext-sod-01 Julien Laganier
- Re: [MEXT] review of draft-bajko-mext-sod-01 Stefano Faccin
- Re: [MEXT] review of draft-bajko-mext-sod-01 Julien Laganier