Re: [Mip4] AD review comments on advance draft-ietf-mobileip-lowlatency-handoffs-v4-08.txt
"James Kempf" <kempf@docomolabs-usa.com> Tue, 18 May 2004 21:52 UTC
Received: from optimus.ietf.org (www.iesg.org [132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA21200 for <mip4-archive@odin.ietf.org>; Tue, 18 May 2004 17:52:10 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BQCU0-0002Ei-MJ for mip4-archive@odin.ietf.org; Tue, 18 May 2004 17:50:45 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i4ILoiZW008596 for mip4-archive@odin.ietf.org; Tue, 18 May 2004 17:50:44 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BQCJr-0000z5-HM for mip4-web-archive@optimus.ietf.org; Tue, 18 May 2004 17:40:15 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA20844 for <mip4-web-archive@ietf.org>; Tue, 18 May 2004 17:40:12 -0400 (EDT)
Received: from ietf-mx.ietf.org ([132.151.6.1] helo=ietf-mx) by ietf-mx with esmtp (Exim 4.32) id 1BQCJp-00071n-3U for mip4-web-archive@ietf.org; Tue, 18 May 2004 17:40:13 -0400
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1BQCJ2-0006yx-00 for mip4-web-archive@ietf.org; Tue, 18 May 2004 17:39:25 -0400
Received: from optimus.ietf.org ([132.151.1.19]) by ietf-mx with esmtp (Exim 4.12) id 1BQCIU-0006vC-00 for mip4-web-archive@ietf.org; Tue, 18 May 2004 17:38:50 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BQCDq-00071p-Sp; Tue, 18 May 2004 17:34:02 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BQC99-0005y1-Rd for mip4@optimus.ietf.org; Tue, 18 May 2004 17:29:11 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA20321 for <mip4@ietf.org>; Tue, 18 May 2004 17:29:08 -0400 (EDT)
Received: from ietf-mx.ietf.org ([132.151.6.1] helo=ietf-mx) by ietf-mx with esmtp (Exim 4.32) id 1BQC97-0006K3-Fu for mip4@ietf.org; Tue, 18 May 2004 17:29:09 -0400
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1BQC8F-0006GG-00 for mip4@ietf.org; Tue, 18 May 2004 17:28:16 -0400
Received: from key1.docomolabs-usa.com ([216.98.102.225] helo=fridge.docomolabs-usa.com ident=fwuser) by ietf-mx with esmtp (Exim 4.12) id 1BQC7K-0006D2-00 for mip4@ietf.org; Tue, 18 May 2004 17:27:18 -0400
Message-ID: <04da01c43d1e$fd71e6b0$366115ac@dcml.docomolabsusa.com>
From: James Kempf <kempf@docomolabs-usa.com>
To: Pete McCann <mccap@lucent.com>, Mobile IPv4 Mailing List <mip4@ietf.org>
References: <16554.23223.66121.836847@gargle.gargle.HOWL>
Subject: Re: [Mip4] AD review comments on advance draft-ietf-mobileip-lowlatency-handoffs-v4-08.txt
Date: Tue, 18 May 2004 14:27:56 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Sender: mip4-admin@ietf.org
Errors-To: mip4-admin@ietf.org
X-BeenThere: mip4@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=unsubscribe>
List-Id: Mobility for IPv4 <mip4.ietf.org>
List-Post: <mailto:mip4@ietf.org>
List-Help: <mailto:mip4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=subscribe>
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.1 required=5.0 tests=AWL autolearn=no version=2.60
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Pete, > Security considerations needs work. At a minimum, the text about "use > ESP" seems insufficient (see security AD comments in ID tracke for > draft-ietf-seamoby-card-protocol for starters - I suspect the same > point applies to this document.) THe security analysis as a whole > seems pretty weak, and in reading it, I didn't get a sense that the > security issues were well-understood. E.g., seems like a lot of the > security properties depend on L2 security, of which there is no > discussion. I.e., has a detailed analysis in the context of a specific > LL type been done? Could it be done? > The CARD draft was recently rewritten to use SEND signatures based on the SEND router certificates, as suggested by Steve Bellovin in the comments Thomas refers to here. The Seamoby WG is still in the process of discussing a few final comments about the document, but since CARD applies to IPv4 as well as IPv6, a similar solution might apply here (of course, the rewritten draft has not yet been through the IESG so there may yet be suprises in store for the Seamoby WG). The new CARD security protocol drops IPsec for the MN-AR interface and instead uses the SEND security association (IPsec remains for the AR-AR interface, however). One major issue is certificate exchange. In IPv6, the SEND DCS/DCA messages can be used for certificate exchange on the same router, but there's nothing like that for IPv4, even if the same signature format and certificate profile as SEND is used. The solution for CARD is to define a certificate exchange extension that works similarly to SEND, with the MN sending a list of trusted roots and the AR sending back the chain for one of them. An additional benefit that CARD provides is that the MN can solicit for certificates to handover candidate access routers connected to APs that the MN can see, thereby allowing the MN to have the certificate chain preconfigured for the new AR prior to movement. This can result in additional latency reduction for handover. Provided the MIP4 WG was willing to go with CARD certificate exchange, the SEND signature option could be reused for low latency handover PrxyRtXXX messages as was done for CARD. The alternative option would be to try defining something like DCS/DCA for IPv4, but there is little realistic chance that it would be deployed, since AFAICT, hosts in IPv4 rarely use router advertisments to discover their default routers, they use DHCP. The exception is Mobile IPv4 FAAdverts, of course. An alternative would be to reuse the MIPv4 MN-FA authentication extension for low latency. If the WG decides that it likes that alternative better, it might be a good idea to talk to Steve Bellovin and Russ Hously about it first, to make sure they are OK with it, to avoid another IESG return. While the SEND solution looks like a pretty good one from a technical standpoint for this problem, the assumption is that Steve preferred that solution since he explicitly mentioned it in his comments, which is secondarily why it was used in CARD. jak -- Mip4 mailing list: Mip4@ietf.org Web interface: https://www.ietf.org/mailman/listinfo/mip4 Charter page: http://www.ietf.org/html.charters/mip4-charter.html Supplemental site: http://www.mip4.org/
- [Mip4] AD review comments on advance draft-ietf-m… Pete McCann
- Re: [Mip4] AD review comments on advance draft-ie… James Kempf