RE: [Mip4] I-D ACTION:draft-ietf-mip4-dynamic-assignment-06.txt
"Kent Leung \(kleung\)" <kleung@cisco.com> Tue, 25 October 2005 17:42 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUSoy-0005CC-8M; Tue, 25 Oct 2005 13:42:48 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUSov-0005Bh-2H for mip4@megatron.ietf.org; Tue, 25 Oct 2005 13:42:47 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA08087 for <mip4@ietf.org>; Tue, 25 Oct 2005 13:42:31 -0400 (EDT)
Received: from sj-iport-2-in.cisco.com ([171.71.176.71] helo=sj-iport-2.cisco.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EUT1v-0003sG-2A for mip4@ietf.org; Tue, 25 Oct 2005 13:56:11 -0400
Received: from sj-core-1.cisco.com ([171.71.177.237]) by sj-iport-2.cisco.com with ESMTP; 25 Oct 2005 10:42:36 -0700
Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by sj-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id j9PHfuv5008027; Tue, 25 Oct 2005 10:42:33 -0700 (PDT)
Received: from xmb-sjc-235.amer.cisco.com ([128.107.191.85]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.211); Tue, 25 Oct 2005 10:42:33 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [Mip4] I-D ACTION:draft-ietf-mip4-dynamic-assignment-06.txt
Date: Tue, 25 Oct 2005 10:42:32 -0700
Message-ID: <2979E38DD6FC6544B789C8DAD7BAFC52D17B66@xmb-sjc-235.amer.cisco.com>
Thread-Topic: [Mip4] I-D ACTION:draft-ietf-mip4-dynamic-assignment-06.txt
Thread-Index: AcXPZwGGLW/uacFySoepFQ9K+fgnHwJxhzhgABZ9coA=
From: "Kent Leung (kleung)" <kleung@cisco.com>
To: Ahmad Muhanna <amuhanna@nortel.com>, "Milind Kulkarni (mkulkarn)" <mkulkarn@cisco.com>
X-OriginalArrivalTime: 25 Oct 2005 17:42:33.0167 (UTC) FILETIME=[7AAB85F0:01C5D98B]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 7fa173a723009a6ca8ce575a65a5d813
Content-Transfer-Encoding: quoted-printable
Cc: mip4@ietf.org, "Alpesh Patel (alpesh)" <alpesh@cisco.com>
X-BeenThere: mip4@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Mobility for IPv4 <mip4.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:mip4@ietf.org>
List-Help: <mailto:mip4-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=subscribe>
Sender: mip4-bounces@ietf.org
Errors-To: mip4-bounces@ietf.org
Hi Ahmad. Comments below. > -----Original Message----- > From: Ahmad Muhanna [mailto:amuhanna@nortel.com] > Sent: Monday, October 24, 2005 11:53 PM > To: Milind Kulkarni (mkulkarn) > Cc: mip4@ietf.org; Alpesh Patel (alpesh); Kent Leung (kleung) > Subject: RE: [Mip4] I-D > ACTION:draft-ietf-mip4-dynamic-assignment-06.txt > > Hi Milind, > My apology for not responding earlier. > > security consideration section: > " > There is a possibility of more than one HA create a mobility > binding entry for a given MN, if a man in the middle captures the > Registration Request with HA field set to ALL-ZERO-ONE-ADDR and > forwards it to other HAs. This scenario assumes that the > rogue node > can find out the addresses of the HAs which are able to > authenticate > the Registration Request. It also assumes that the rogue node has > the capability to store, duplicate, and send packets to > the other HAs > > within the limited time of the replay window. Otherwise these HAs > will reject the Registration Requests anyway. In addition, > this type > of attack is only possible when the Requested HA Extension is not > included in the registration message. The Mobile Node can > minimize > the duration of this condition by using a short lifetime (e.g. 5 > seconds) in the Registration Request. > " > > My only concern is with the recommendation of setting the > lifetime to 5 seconds. Basically we are recommending a 2 > round trip registration. Do you agree? > > If we are ok with 2 round trip DHA registration, then I would > argue that we let the HA reject the first registration using > an appropriate code e.g. 136. This much better because in the > case of 5 second registration, It is more expensive since HAs > needs to allocate resources including the IP addresses and > then releasing them. > On the other hand, 5 seconds is too short that it could > interfere with the retransmission mechanism due to a lost > registration request. > > The 5 secs is an example only. It's an arbitrary small value dictated by MN implementation or configuration. There are a few benefits of this scheme. First, no changes to MN or HA operation needed using a small lifetime. For some networks such as cdma2000, this type of issue doesn't happen, IMHO. So the MN can use regular lifetime value and such registration is optimized for working scenario (without the need for 2 registration exchanges). Maybe for WLAN which may not L2 encrypted, the MN uses the small registration lifetime for this type of roaming interface to overcome the possibility of such an attack. In summary, the scheme is optimized for networks where this issue doesn't exist and mitigate the attack where there may be a possibility. Both ways, it's the same normal registration exchange and MN/HA operation. > The other issue: > I believe it resolves the security issue for MN with > co-located acre of address without any complication. > > Since the MN with co-located care of address always acquire > the requested HA address via other means as documented in > section 6.0 of the draft, why not then allow the MN to use > the HA IP address in the HA field of the RRQ. Just like > regular MIPv4. unless I am missing something here, I think > this scenario becomes just like a regular Mobile IP registration. > On the other hand, in case that it is required for the MN to > set the HA field to ALL-ZERO-ONE-ADDR, then why not mandate > on the MN to always add the Requested HA extension. > The HA is already checking the HA address in the extension against the destination IP address for CCoA mode. The ALL-ZERO-ONE-ADDR in the HA field indicates dynamic HA assignment. Section 5.1.2: If the Registration Request contains the Requested HA Extension, the HA address in that extension MUST match the destination IP of the Request. The reason it's a "SHOULD" instead of "MUST" is that for some access networks (e.g. GPRS/UMTS), this type of issue doesn't exists. So, for cellular networks, MN doesn't need to add the extension to avoid consuming bandwidth unnecessarily. For WLAN, MN can add the extension for protect against this type of attack. Section 5.1.2: In some cases, for the first Registration Request the MN may want to hint to the network to be anchored at a specific HA. The MN SHOULD put that address in the HA address of the Requested HA Extension. > Thanks and sorry for the delay. > No problem and thanks for your inputs. Kent -- Mip4 mailing list: Mip4@ietf.org Web interface: https://www1.ietf.org/mailman/listinfo/mip4 Charter page: http://www.ietf.org/html.charters/mip4-charter.html Supplemental site: http://www.mip4.org/
- [Mip4] I-D ACTION:draft-ietf-mip4-dynamic-assignm… Internet-Drafts
- RE: [Mip4] I-D ACTION:draft-ietf-mip4-dynamic-ass… Ahmad Muhanna
- RE: [Mip4] I-D ACTION:draft-ietf-mip4-dynamic-ass… Kent Leung (kleung)
- RE: [Mip4] I-D ACTION:draft-ietf-mip4-dynamic-ass… Ahmad Muhanna