Re: [Mip4] Does MIP support RegReq authentication without having to do timekeeping?

Alexandru Petrescu <alexandru.petrescu@gmail.com> Thu, 14 March 2013 18:54 UTC

Return-Path: <alexandru.petrescu@gmail.com>
X-Original-To: mip4@ietfa.amsl.com
Delivered-To: mip4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B96D711E80DF for <mip4@ietfa.amsl.com>; Thu, 14 Mar 2013 11:54:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.728
X-Spam-Level:
X-Spam-Status: No, score=-9.728 tagged_above=-999 required=5 tests=[AWL=0.521, BAYES_00=-2.599, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NILGZLPHktU5 for <mip4@ietfa.amsl.com>; Thu, 14 Mar 2013 11:54:37 -0700 (PDT)
Received: from cirse-out.extra.cea.fr (cirse-out.extra.cea.fr [132.167.192.142]) by ietfa.amsl.com (Postfix) with ESMTP id A975F11E8193 for <mip4@ietf.org>; Thu, 14 Mar 2013 11:54:34 -0700 (PDT)
Received: from pisaure.intra.cea.fr (pisaure.intra.cea.fr [132.166.88.21]) by cirse.extra.cea.fr (8.14.2/8.14.2/CEAnet-Internet-out-2.3) with ESMTP id r2EIsKQn006120 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 14 Mar 2013 19:54:21 +0100
Received: from muguet1.intra.cea.fr (muguet1.intra.cea.fr [132.166.192.6]) by pisaure.intra.cea.fr (8.14.4/8.14.4) with ESMTP id r2EIsKOg018167; Thu, 14 Mar 2013 19:54:20 +0100 (envelope-from alexandru.petrescu@gmail.com)
Received: from [127.0.0.1] ([132.166.86.1]) by muguet1.intra.cea.fr (8.13.8/8.13.8/CEAnet-Intranet-out-1.2) with ESMTP id r2EIsEPD015599; Thu, 14 Mar 2013 19:54:19 +0100
Message-ID: <51421CB9.1080100@gmail.com>
Date: Thu, 14 Mar 2013 19:53:45 +0100
From: Alexandru Petrescu <alexandru.petrescu@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20130307 Thunderbird/17.0.4
MIME-Version: 1.0
To: Ahmad Muhanna <amuhanna@awardsolutions.com>
References: <514206FE.7050807@gmail.com> <3359F724933DFD458579D24EAC769098857A51DC@Redwood.usa.awardsolutions.com>
In-Reply-To: <3359F724933DFD458579D24EAC769098857A51DC@Redwood.usa.awardsolutions.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Cc: Mobile IPv4 Mailing List <mip4@ietf.org>
Subject: Re: [Mip4] Does MIP support RegReq authentication without having to do timekeeping?
X-BeenThere: mip4@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Mobility for IPv4 <mip4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mip4>, <mailto:mip4-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mip4>
List-Post: <mailto:mip4@ietf.org>
List-Help: <mailto:mip4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2013 18:54:37 -0000

Sounds reasonable to use timestamp as usual and if it fails then try the
nonce... but...

Does this behaviour require modification of the HA? (we are not able to
modify it, but we can modify the MR).

Le 14/03/2013 19:44, Ahmad Muhanna a écrit :
> Hi Alex,
>
> As far as I recall, RFC2002 and all updates afterwards, allow the
> use of nonce. Basically like a challenge.
>
>> From implementation prospective; I would allow both to coexist as
>> follows:
> 1. Both HA and MR uses timestamp as normal and no issue there.

Yes.

> 2. When the MR fails or start NOT to have a valid time, the MR
> should have remembered the last RRP ID which is based on timestamp
> and use that for Re-Registration.

Ok, this could be done.

> 3. At the HA, it should check timestamp first, if it passes then
> timestamp continues to work; if it fails, the HA should check the
> Re-Registration ID against the last ID that was sent in the last
> RRP, if it is the same, the HA should allow the RRP to go through.

This is a modification to the HA implementation, isn't it?

Alex

>
> I Hope this helps!
>
> Cheers!
>
> Best Regards, Ahmad
>
> -----Original Message----- From: mip4-bounces@ietf.org
> [mailto:mip4-bounces@ietf.org] On Behalf Of Alexandru Petrescu Sent:
> Thursday, March 14, 2013 12:21 PM To: Mobile IPv4 Mailing List
> Subject: [Mip4] Does MIP support RegReq authentication without
> having to do timekeeping?
>
> MIP4 participants,
>
> I would like to learn whether Mobile IPv4 spec supports an
> authentication scheme for RegReq/RegRep which does not rely on
> timekeeping.
>
> Let me explain why.
>
> We use a Mobile Router in a moving network that gets connected to
> the Home Agent.  The Mobile Router's power supply may be turned off
> (its battery dies out after an extended period of inactivity, like in
> a vehicle).  At that point the MR looses its time.
>
> When it finally wakes up, it has to perform a Registration Req/Rep
> with the HA, without assuming that its time is correct.  Or, the
> MIP4 regreq/regrep HA implementation that we use seems to rely on
> having the right time, otherwise the registration fails.
>
> Under these conditions, is it possible to use an auth mechanism
> which does not rely on timekeeping?
>
> Alex
>
> -- Mip4 mailing list: Mip4@ietf.org Web interface:
> https://www.ietf.org/mailman/listinfo/mip4 Charter page:
> http://www.ietf.org/html.charters/mip4-charter.html Supplemental
> site: http://www.mip4.org/
>
>