Re: [Mip4] Does MIP support RegReq authentication without having to do timekeeping?

"Kent Leung (kleung)" <kleung@cisco.com> Thu, 14 March 2013 19:31 UTC

Return-Path: <kleung@cisco.com>
X-Original-To: mip4@ietfa.amsl.com
Delivered-To: mip4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A13F11E81CE for <mip4@ietfa.amsl.com>; Thu, 14 Mar 2013 12:31:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qGQae5jQWNud for <mip4@ietfa.amsl.com>; Thu, 14 Mar 2013 12:31:32 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) by ietfa.amsl.com (Postfix) with ESMTP id 50CC611E81CA for <mip4@ietf.org>; Thu, 14 Mar 2013 12:31:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4250; q=dns/txt; s=iport; t=1363289492; x=1364499092; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=qwwIuqKsZ3yjMMKw+0zlVGyKeNiYmBNPhgT2xuSER5M=; b=aAPbibGDfMskJTXos8Pq2eBdrm2eHIii54W9/ODWsHjIUvbglMlD+Cig q6T7Jtl9CZFfCnA0o3k0VLe8MkSP7LLSiY6GSdKUISsyU8Rlnvqul73xV N8NzaH6+tBABtT2wSwHU8sqyl0WLGIDsMOwWgE7eRU3BSEjtfsUx8S+4c s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgEFAD4kQlGtJXG+/2dsb2JhbABDxQKBZRZ0gisBAQEDAQEBAWsLDAQCAQgRBAEBCx0HIQYLFAkIAgQOBQgBh3kDCQYMt3wNiVuMTIEDDgl/MQIFBoJZYQOIPow6jUiFGoFUgTaCKA
X-IronPort-AV: E=Sophos;i="4.84,846,1355097600"; d="scan'208";a="187584762"
Received: from rcdn-core2-3.cisco.com ([173.37.113.190]) by rcdn-iport-7.cisco.com with ESMTP; 14 Mar 2013 19:31:31 +0000
Received: from xhc-aln-x03.cisco.com (xhc-aln-x03.cisco.com [173.36.12.77]) by rcdn-core2-3.cisco.com (8.14.5/8.14.5) with ESMTP id r2EJVV4B021281 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 14 Mar 2013 19:31:31 GMT
Received: from xmb-aln-x03.cisco.com ([169.254.6.8]) by xhc-aln-x03.cisco.com ([173.36.12.77]) with mapi id 14.02.0318.004; Thu, 14 Mar 2013 14:31:31 -0500
From: "Kent Leung (kleung)" <kleung@cisco.com>
To: Alexandru Petrescu <alexandru.petrescu@gmail.com>
Thread-Topic: [Mip4] Does MIP support RegReq authentication without having to do timekeeping?
Thread-Index: AQHOIOVj5IvDl6+vSUiwtmVfOnfckpilj5BAgABVXgD//6zD0A==
Date: Thu, 14 Mar 2013 19:31:30 +0000
Message-ID: <CD85F32117029D4F9AEF48BDEF5536AB10215BCB@xmb-aln-x03.cisco.com>
References: <514206FE.7050807@gmail.com> <3359F724933DFD458579D24EAC769098857A51DC@Redwood.usa.awardsolutions.com> <51421CB9.1080100@gmail.com> <CD85F32117029D4F9AEF48BDEF5536AB10215B92@xmb-aln-x03.cisco.com> <514223C4.8010905@gmail.com>
In-Reply-To: <514223C4.8010905@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.21.115.74]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Ahmad Muhanna <amuhanna@awardsolutions.com>, Mobile IPv4 Mailing List <mip4@ietf.org>
Subject: Re: [Mip4] Does MIP support RegReq authentication without having to do timekeeping?
X-BeenThere: mip4@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Mobility for IPv4 <mip4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mip4>, <mailto:mip4-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mip4>
List-Post: <mailto:mip4@ietf.org>
List-Help: <mailto:mip4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2013 19:31:33 -0000

I assumed that you had an MR that could do that. I'm not aware of any MR vendor that will maintain the timestamp state after recovering from a failure. 

On your original issue, wouldn't the re-registration succeed after the HA replies with code 133? It would take two registration messages from MR so it takes a little longer.

Kent

-----Original Message-----
From: Alexandru Petrescu [mailto:alexandru.petrescu@gmail.com] 
Sent: Thursday, March 14, 2013 12:24 PM
To: Kent Leung (kleung)
Cc: Ahmad Muhanna; Mobile IPv4 Mailing List
Subject: Re: [Mip4] Does MIP support RegReq authentication without having to do timekeeping?

Le 14/03/2013 20:20, Kent Leung (kleung) a écrit :
> Hi Alex. The nonce method is specified in the Mobile IP RFCs. But I'm 
> not sure if any vendor supports that. If #2 works, that should address 
> you issue.

This is something we should implement on the MR side.  Do you think the HA side already does it (I doubt?)?

Alex

>
> Kent
>
> -----Original Message----- From: mip4-bounces@ietf.org 
> [mailto:mip4-bounces@ietf.org] On Behalf Of Alexandru Petrescu Sent:
>  Thursday, March 14, 2013 11:54 AM To: Ahmad Muhanna Cc: Mobile IPv4  
> Mailing List Subject: Re: [Mip4] Does MIP support RegReq 
> authentication without having to do timekeeping?
>
> Sounds reasonable to use timestamp as usual and if it fails then try  
> the nonce... but...
>
> Does this behaviour require modification of the HA? (we are not able  
> to modify it, but we can modify the MR).
>
> Le 14/03/2013 19:44, Ahmad Muhanna a écrit :
>> Hi Alex,
>>
>> As far as I recall, RFC2002 and all updates afterwards, allow the use 
>> of nonce. Basically like a challenge.
>>
>>> From implementation prospective; I would allow both to coexist as 
>>> follows:
>> 1. Both HA and MR uses timestamp as normal and no issue there.
>
> Yes.
>
>> 2. When the MR fails or start NOT to have a valid time, the MR should 
>> have remembered the last RRP ID which is based on timestamp  and use 
>> that for Re-Registration.
>
> Ok, this could be done.
>
>> 3. At the HA, it should check timestamp first, if it passes then 
>> timestamp continues to work; if it fails, the HA should check the 
>> Re-Registration ID against the last ID that was sent in the last RRP, 
>> if it is the same, the HA should allow the RRP to go through.
>
> This is a modification to the HA implementation, isn't it?
>
> Alex
>
>>
>> I Hope this helps!
>>
>> Cheers!
>>
>> Best Regards, Ahmad
>>
>> -----Original Message----- From: mip4-bounces@ietf.org 
>> [mailto:mip4-bounces@ietf.org] On Behalf Of Alexandru Petrescu
>> Sent: Thursday, March 14, 2013 12:21 PM To: Mobile IPv4 Mailing List 
>> Subject: [Mip4] Does MIP support RegReq authentication without having 
>> to do timekeeping?
>>
>> MIP4 participants,
>>
>> I would like to learn whether Mobile IPv4 spec supports an 
>> authentication scheme for RegReq/RegRep which does not rely on 
>> timekeeping.
>>
>> Let me explain why.
>>
>> We use a Mobile Router in a moving network that gets connected to the 
>> Home Agent.  The Mobile Router's power supply may be turned off (its 
>> battery dies out after an extended period of inactivity, like in a 
>> vehicle).  At that point the MR looses its time.
>>
>> When it finally wakes up, it has to perform a Registration Req/Rep 
>> with the HA, without assuming that its time is correct.  Or, the
>> MIP4 regreq/regrep HA implementation that we use seems to rely on 
>> having the right time, otherwise the registration fails.
>>
>> Under these conditions, is it possible to use an auth mechanism which 
>> does not rely on timekeeping?
>>
>> Alex
>>
>> -- Mip4 mailing list: Mip4@ietf.org Web interface:
>> https://www.ietf.org/mailman/listinfo/mip4 Charter page:
>> http://www.ietf.org/html.charters/mip4-charter.html Supplemental
>> site: http://www.mip4.org/
>>
>>
>
>
> -- Mip4 mailing list: Mip4@ietf.org Web interface:
> https://www.ietf.org/mailman/listinfo/mip4 Charter page:
> http://www.ietf.org/html.charters/mip4-charter.html Supplemental
> site: http://www.mip4.org/
>
>