Re: [Mip4] Does MIP support RegReq authentication without having to do timekeeping?

[Ahmad Muhanna <amuhanna@awardsolutions.com>]

Yes.

HA inserts its timestamp in the high 32 bits of the RRP ID for the MR to synchronize itself.
Since the MR timer failed, the MR can still use the timestamp returned in the RRP with code 133 and sends a second RRQ. It should succeed.

May be you need to make sure that the MR implementation does not screw up because its time has failed.

I do NOT believe there is any security issue in there. 
The ID field is protected by the MN-HA Authentication Extension.


Best Regards,
Ahmad


-----Original Message-----
From: Alexandru Petrescu [mailto:alexandru.petrescu@gmail.com] 
Sent: Thursday, March 14, 2013 2:39 PM
To: Ahmad Muhanna
Cc: Kent Leung (kleung); Mobile IPv4 Mailing List
Subject: Re: [Mip4] Does MIP support RegReq authentication without having to do timekeeping?

Le 14/03/2013 20:36, Ahmad Muhanna a écrit :
> Yep. I think what Kent said makes sense. MR will use the timestamp 
> returned in the RRP with code 133 and the second RRQ should work just 
> fine.

Sorry for my naivity, but does the RREP contain a timestamp that the MR should put back in the RREQ?

If yes - is that secure?

Alex


>
> I guess no need to change anything then :-)
>
> Best Regards, Ahmad
>
>
> -----Original Message----- From: Kent Leung (kleung) 
> [mailto:kleung@cisco.com] Sent: Thursday, March 14, 2013 2:32 PM To:
> Alexandru Petrescu Cc: Ahmad Muhanna; Mobile IPv4 Mailing List
> Subject: RE: [Mip4] Does MIP support RegReq authentication without 
> having to do timekeeping?
>
> I assumed that you had an MR that could do that. I'm not aware of any 
> MR vendor that will maintain the timestamp state after recovering from 
> a failure.
>
> On your original issue, wouldn't the re-registration succeed after the 
> HA replies with code 133? It would take two registration messages from 
> MR so it takes a little longer.
>
> Kent
>
> -----Original Message----- From: Alexandru Petrescu 
> [mailto:alexandru.petrescu@gmail.com] Sent: Thursday, March 14, 2013
> 12:24 PM To: Kent Leung (kleung) Cc: Ahmad Muhanna; Mobile IPv4 
> Mailing List Subject: Re: [Mip4] Does MIP support RegReq 
> authentication without having to do timekeeping?
>
> Le 14/03/2013 20:20, Kent Leung (kleung) a écrit :
>> Hi Alex. The nonce method is specified in the Mobile IP RFCs. But I'm 
>> not sure if any vendor supports that. If #2 works, that should 
>> address you issue.
>
> This is something we should implement on the MR side.  Do you think 
> the HA side already does it (I doubt?)?
>
> Alex
>
>>
>> Kent
>>
>> -----Original Message----- From: mip4-bounces@ietf.org 
>> [mailto:mip4-bounces@ietf.org] On Behalf Of Alexandru Petrescu
>> Sent: Thursday, March 14, 2013 11:54 AM To: Ahmad Muhanna Cc:
>> Mobile IPv4 Mailing List Subject: Re: [Mip4] Does MIP support RegReq 
>> authentication without having to do timekeeping?
>>
>> Sounds reasonable to use timestamp as usual and if it fails then try 
>> the nonce... but...
>>
>> Does this behaviour require modification of the HA? (we are not able 
>> to modify it, but we can modify the MR).
>>
>> Le 14/03/2013 19:44, Ahmad Muhanna a écrit :
>>> Hi Alex,
>>>
>>> As far as I recall, RFC2002 and all updates afterwards, allow the 
>>> use of nonce. Basically like a challenge.
>>>
>>>> From implementation prospective; I would allow both to coexist as 
>>>> follows:
>>> 1. Both HA and MR uses timestamp as normal and no issue there.
>>
>> Yes.
>>
>>> 2. When the MR fails or start NOT to have a valid time, the MR 
>>> should have remembered the last RRP ID which is based on timestamp  
>>> and use that for Re-Registration.
>>
>> Ok, this could be done.
>>
>>> 3. At the HA, it should check timestamp first, if it passes then 
>>> timestamp continues to work; if it fails, the HA should check the 
>>> Re-Registration ID against the last ID that was sent in the last 
>>> RRP, if it is the same, the HA should allow the RRP to go through.
>>
>> This is a modification to the HA implementation, isn't it?
>>
>> Alex
>>
>>>
>>> I Hope this helps!
>>>
>>> Cheers!
>>>
>>> Best Regards, Ahmad
>>>
>>> -----Original Message----- From: mip4-bounces@ietf.org 
>>> [mailto:mip4-bounces@ietf.org] On Behalf Of Alexandru Petrescu
>>> Sent: Thursday, March 14, 2013 12:21 PM To: Mobile IPv4 Mailing List 
>>> Subject: [Mip4] Does MIP support RegReq authentication without 
>>> having to do timekeeping?
>>>
>>> MIP4 participants,
>>>
>>> I would like to learn whether Mobile IPv4 spec supports an 
>>> authentication scheme for RegReq/RegRep which does not rely on 
>>> timekeeping.
>>>
>>> Let me explain why.
>>>
>>> We use a Mobile Router in a moving network that gets connected to 
>>> the Home Agent.  The Mobile Router's power supply may be turned off 
>>> (its battery dies out after an extended period of inactivity, like 
>>> in a vehicle).  At that point the MR looses its time.
>>>
>>> When it finally wakes up, it has to perform a Registration Req/Rep 
>>> with the HA, without assuming that its time is correct.
>>> Or, the MIP4 regreq/regrep HA implementation that we use seems to 
>>> rely on having the right time, otherwise the registration fails.
>>>
>>> Under these conditions, is it possible to use an auth mechanism 
>>> which does not rely on timekeeping?
>>>
>>> Alex
>>>
>>> -- Mip4 mailing list: Mip4@ietf.org Web interface:
>>> https://www.ietf.org/mailman/listinfo/mip4 Charter page:
>>> http://www.ietf.org/html.charters/mip4-charter.html Supplemental
>>> site: http://www.mip4.org/
>>>
>>>
>>
>>
>> -- Mip4 mailing list: Mip4@ietf.org Web interface:
>> https://www.ietf.org/mailman/listinfo/mip4 Charter page:
>> http://www.ietf.org/html.charters/mip4-charter.html Supplemental
>> site: http://www.mip4.org/
>>
>>
>
>
>
>