Re: [Mip4] Does MIP support RegReq authentication without having to do timekeeping?

Ahmad Muhanna <amuhanna@awardsolutions.com> Thu, 14 March 2013 19:59 UTC

Return-Path: <amuhanna@awardsolutions.com>
X-Original-To: mip4@ietfa.amsl.com
Delivered-To: mip4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7119F11E8173 for <mip4@ietfa.amsl.com>; Thu, 14 Mar 2013 12:59:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BdC9tdEeq8Ne for <mip4@ietfa.amsl.com>; Thu, 14 Mar 2013 12:59:28 -0700 (PDT)
Received: from exprod8og117.obsmtp.com (exprod8og117.obsmtp.com [64.18.3.34]) by ietfa.amsl.com (Postfix) with ESMTP id 6085E11E8166 for <mip4@ietf.org>; Thu, 14 Mar 2013 12:59:28 -0700 (PDT)
Received: from mail.awardsolutions.com ([66.142.250.98]) (using TLSv1) by exprod8ob117.postini.com ([64.18.7.12]) with SMTP ID DSNKUUIsHiBV2I4S3tnpYRpZ7X3q28mP9ktI@postini.com; Thu, 14 Mar 2013 12:59:28 PDT
Received: from REDWOOD.usa.awardsolutions.com ([fe80::a1f1:7708:4a71:9fee]) by Redwood.usa.awardsolutions.com ([fe80::a1f1:7708:4a71:9fee%11]) with mapi id 14.01.0438.000; Thu, 14 Mar 2013 14:59:26 -0500
From: Ahmad Muhanna <amuhanna@awardsolutions.com>
To: Alexandru Petrescu <alexandru.petrescu@gmail.com>
Thread-Topic: [Mip4] Does MIP support RegReq authentication without having to do timekeeping?
Thread-Index: AQHOIO3S7rndUjrH0UWKuVF8jTknMJilmiEw
Date: Thu, 14 Mar 2013 19:59:24 +0000
Message-ID: <3359F724933DFD458579D24EAC769098857A537A@Redwood.usa.awardsolutions.com>
References: <514206FE.7050807@gmail.com> <3359F724933DFD458579D24EAC769098857A51DC@Redwood.usa.awardsolutions.com> <51421CB9.1080100@gmail.com> <CD85F32117029D4F9AEF48BDEF5536AB10215B92@xmb-aln-x03.cisco.com> <514223C4.8010905@gmail.com> <CD85F32117029D4F9AEF48BDEF5536AB10215BCB@xmb-aln-x03.cisco.com> <3359F724933DFD458579D24EAC769098857A52C0@Redwood.usa.awardsolutions.com> <51422AF5.1080509@gmail.com>
In-Reply-To: <51422AF5.1080509@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.25.208.42]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "Kent Leung \(kleung\)" <kleung@cisco.com>, Mobile IPv4 Mailing List <mip4@ietf.org>
Subject: Re: [Mip4] Does MIP support RegReq authentication without having to do timekeeping?
X-BeenThere: mip4@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Mobility for IPv4 <mip4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mip4>, <mailto:mip4-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mip4>
List-Post: <mailto:mip4@ietf.org>
List-Help: <mailto:mip4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2013 19:59:29 -0000

Yes. This ID is 64 bits.

The higher order 32 bits is the time in seconds and the lower 32 bits is the fraction of the second. However, some implementation uses JUST a random number.

In the Reply with code 133: 
The HA inserts its timestamp in the higher order 32 bits of the RRP ID and copies the lower 32 bits from the one in the RRQ.

It has been a while but I believe that is correct! :-)


Best Regards,
Ahmad


-----Original Message-----
From: Alexandru Petrescu [mailto:alexandru.petrescu@gmail.com] 
Sent: Thursday, March 14, 2013 2:54 PM
To: Ahmad Muhanna
Cc: Kent Leung (kleung); Mobile IPv4 Mailing List
Subject: Re: [Mip4] Does MIP support RegReq authentication without having to do timekeeping?

Le 14/03/2013 20:36, Ahmad Muhanna a écrit :
> Yep. I think what Kent said makes sense. MR will use the timestamp 
> returned in the RRP with code 133 and the second RRQ should work just 
> fine.

Is this timestamp in RREP the 'Identification' field shown by wireshark?

Alex

>
> I guess no need to change anything then :-)
>
> Best Regards, Ahmad
>
>
> -----Original Message----- From: Kent Leung (kleung) 
> [mailto:kleung@cisco.com] Sent: Thursday, March 14, 2013 2:32 PM To:
> Alexandru Petrescu Cc: Ahmad Muhanna; Mobile IPv4 Mailing List
> Subject: RE: [Mip4] Does MIP support RegReq authentication without 
> having to do timekeeping?
>
> I assumed that you had an MR that could do that. I'm not aware of any 
> MR vendor that will maintain the timestamp state after recovering from 
> a failure.
>
> On your original issue, wouldn't the re-registration succeed after the 
> HA replies with code 133? It would take two registration messages from 
> MR so it takes a little longer.
>
> Kent
>
> -----Original Message----- From: Alexandru Petrescu 
> [mailto:alexandru.petrescu@gmail.com] Sent: Thursday, March 14, 2013
> 12:24 PM To: Kent Leung (kleung) Cc: Ahmad Muhanna; Mobile IPv4 
> Mailing List Subject: Re: [Mip4] Does MIP support RegReq 
> authentication without having to do timekeeping?
>
> Le 14/03/2013 20:20, Kent Leung (kleung) a écrit :
>> Hi Alex. The nonce method is specified in the Mobile IP RFCs. But I'm 
>> not sure if any vendor supports that. If #2 works, that should 
>> address you issue.
>
> This is something we should implement on the MR side.  Do you think 
> the HA side already does it (I doubt?)?
>
> Alex
>
>>
>> Kent
>>
>> -----Original Message----- From: mip4-bounces@ietf.org 
>> [mailto:mip4-bounces@ietf.org] On Behalf Of Alexandru Petrescu
>> Sent: Thursday, March 14, 2013 11:54 AM To: Ahmad Muhanna Cc:
>> Mobile IPv4 Mailing List Subject: Re: [Mip4] Does MIP support RegReq 
>> authentication without having to do timekeeping?
>>
>> Sounds reasonable to use timestamp as usual and if it fails then try 
>> the nonce... but...
>>
>> Does this behaviour require modification of the HA? (we are not able 
>> to modify it, but we can modify the MR).
>>
>> Le 14/03/2013 19:44, Ahmad Muhanna a écrit :
>>> Hi Alex,
>>>
>>> As far as I recall, RFC2002 and all updates afterwards, allow the 
>>> use of nonce. Basically like a challenge.
>>>
>>>> From implementation prospective; I would allow both to coexist as 
>>>> follows:
>>> 1. Both HA and MR uses timestamp as normal and no issue there.
>>
>> Yes.
>>
>>> 2. When the MR fails or start NOT to have a valid time, the MR 
>>> should have remembered the last RRP ID which is based on timestamp  
>>> and use that for Re-Registration.
>>
>> Ok, this could be done.
>>
>>> 3. At the HA, it should check timestamp first, if it passes then 
>>> timestamp continues to work; if it fails, the HA should check the 
>>> Re-Registration ID against the last ID that was sent in the last 
>>> RRP, if it is the same, the HA should allow the RRP to go through.
>>
>> This is a modification to the HA implementation, isn't it?
>>
>> Alex
>>
>>>
>>> I Hope this helps!
>>>
>>> Cheers!
>>>
>>> Best Regards, Ahmad
>>>
>>> -----Original Message----- From: mip4-bounces@ietf.org 
>>> [mailto:mip4-bounces@ietf.org] On Behalf Of Alexandru Petrescu
>>> Sent: Thursday, March 14, 2013 12:21 PM To: Mobile IPv4 Mailing List 
>>> Subject: [Mip4] Does MIP support RegReq authentication without 
>>> having to do timekeeping?
>>>
>>> MIP4 participants,
>>>
>>> I would like to learn whether Mobile IPv4 spec supports an 
>>> authentication scheme for RegReq/RegRep which does not rely on 
>>> timekeeping.
>>>
>>> Let me explain why.
>>>
>>> We use a Mobile Router in a moving network that gets connected to 
>>> the Home Agent.  The Mobile Router's power supply may be turned off 
>>> (its battery dies out after an extended period of inactivity, like 
>>> in a vehicle).  At that point the MR looses its time.
>>>
>>> When it finally wakes up, it has to perform a Registration Req/Rep 
>>> with the HA, without assuming that its time is correct.
>>> Or, the MIP4 regreq/regrep HA implementation that we use seems to 
>>> rely on having the right time, otherwise the registration fails.
>>>
>>> Under these conditions, is it possible to use an auth mechanism 
>>> which does not rely on timekeeping?
>>>
>>> Alex
>>>
>>> -- Mip4 mailing list: Mip4@ietf.org Web interface:
>>> https://www.ietf.org/mailman/listinfo/mip4 Charter page:
>>> http://www.ietf.org/html.charters/mip4-charter.html Supplemental
>>> site: http://www.mip4.org/
>>>
>>>
>>
>>
>> -- Mip4 mailing list: Mip4@ietf.org Web interface:
>> https://www.ietf.org/mailman/listinfo/mip4 Charter page:
>> http://www.ietf.org/html.charters/mip4-charter.html Supplemental
>> site: http://www.mip4.org/
>>
>>
>
>
>
>