Re: [Mip4] Does MIP support RegReq authentication without having to do timekeeping?

Alexandru Petrescu <alexandru.petrescu@gmail.com> Thu, 14 March 2013 19:58 UTC

Return-Path: <alexandru.petrescu@gmail.com>
X-Original-To: mip4@ietfa.amsl.com
Delivered-To: mip4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D62F11E80F2 for <mip4@ietfa.amsl.com>; Thu, 14 Mar 2013 12:58:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.968
X-Spam-Level:
X-Spam-Status: No, score=-9.968 tagged_above=-999 required=5 tests=[AWL=0.281, BAYES_00=-2.599, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VthOvQxTIwdu for <mip4@ietfa.amsl.com>; Thu, 14 Mar 2013 12:58:39 -0700 (PDT)
Received: from sainfoin-out.extra.cea.fr (sainfoin-out.extra.cea.fr [132.167.192.145]) by ietfa.amsl.com (Postfix) with ESMTP id BB9D311E814D for <mip4@ietf.org>; Thu, 14 Mar 2013 12:58:38 -0700 (PDT)
Received: from pisaure.intra.cea.fr (pisaure.intra.cea.fr [132.166.88.21]) by sainfoin.extra.cea.fr (8.14.2/8.14.2/CEAnet-Internet-out-2.3) with ESMTP id r2EJwajm006154 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 14 Mar 2013 20:58:36 +0100
Received: from muguet1.intra.cea.fr (muguet1.intra.cea.fr [132.166.192.6]) by pisaure.intra.cea.fr (8.14.4/8.14.4) with ESMTP id r2EJwZor026624; Thu, 14 Mar 2013 20:58:35 +0100 (envelope-from alexandru.petrescu@gmail.com)
Received: from [127.0.0.1] ([132.166.86.3]) by muguet1.intra.cea.fr (8.13.8/8.13.8/CEAnet-Intranet-out-1.2) with ESMTP id r2EJwXwf031152; Thu, 14 Mar 2013 20:58:35 +0100
Message-ID: <51422BCB.30409@gmail.com>
Date: Thu, 14 Mar 2013 20:58:03 +0100
From: Alexandru Petrescu <alexandru.petrescu@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20130307 Thunderbird/17.0.4
MIME-Version: 1.0
To: "Kent Leung (kleung)" <kleung@cisco.com>
References: <514206FE.7050807@gmail.com> <3359F724933DFD458579D24EAC769098857A51DC@Redwood.usa.awardsolutions.com> <51421CB9.1080100@gmail.com> <CD85F32117029D4F9AEF48BDEF5536AB10215B92@xmb-aln-x03.cisco.com> <514223C4.8010905@gmail.com> <CD85F32117029D4F9AEF48BDEF5536AB10215BCB@xmb-aln-x03.cisco.com> <514226A9.9020700@gmail.com> <CD85F32117029D4F9AEF48BDEF5536AB10215C28@xmb-aln-x03.cisco.com> <51422787.5060509@gmail.com> <CD85F32117029D4F9AEF48BDEF5536AB10215C72@xmb-aln-x03.cisco.com>
In-Reply-To: <CD85F32117029D4F9AEF48BDEF5536AB10215C72@xmb-aln-x03.cisco.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Cc: "mip4@ietf.org" <mip4@ietf.org>
Subject: Re: [Mip4] Does MIP support RegReq authentication without having to do timekeeping?
X-BeenThere: mip4@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Mobility for IPv4 <mip4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mip4>, <mailto:mip4-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mip4>
List-Post: <mailto:mip4@ietf.org>
List-Help: <mailto:mip4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2013 19:58:40 -0000

Le 14/03/2013 20:47, Kent Leung (kleung) a écrit :
> Hmm, I'm not clear with your response.
>
> Let's assume the following scenario.
>
> 1. MR sends initial RRQ1 (time=a) to HA
> 2. HA sends RRP1 (time=b) with code 133

Ok.  Do you think MR receiving this RRP1 will be able to safele verify 
it is legitimate?  Or is it possible than an attacker HA fakes this RRP1 
message?

> 3. MR sends RRQ2 (time=b+)
> 4. HA sends RRP2(time=b+) => registration successful
> 5. After MR recovers from failure, MR sends RRQ3(time=c)
> 6. HA sends RRP3(time=d) with code 133
> 7. MR sends RRQ4(time=d+)
> 8. HA sends RRP4(time=d+) => reregistration successful

These latter steps 3-8 make sense.

Alex

>
> We would need to confirm if #6 happens properly for a specific vendor. :) But I would expect #7 should happen if code 133 is received.
>
> Kent
>
> -----Original Message-----
> From: mip4-bounces@ietf.org [mailto:mip4-bounces@ietf.org] On Behalf Of Alexandru Petrescu
> Sent: Thursday, March 14, 2013 12:40 PM
> To: mip4@ietf.org
> Subject: Re: [Mip4] Does MIP support RegReq authentication without having to do timekeeping?
>
> Le 14/03/2013 20:38, Kent Leung (kleung) a écrit :
>>
>> It needs to have the time, even if it does second registration.
>> It's not a problem it takes longer (we can send easily two messages).
>> But the second message will also be refused by the HA because it still
>> has the wrong time.
>>
>> KL> Why is the timestamp in the 2nd RRQ wrong?
>
> Because the computer has lost its time, because it was turned off long time (vehicle in garage for several weeks in winter time).  It now has year 1970.
>
> Alex
>
>>
>> Kent
>>
>>
>
>
> --
> Mip4 mailing list: Mip4@ietf.org
>      Web interface: https://www.ietf.org/mailman/listinfo/mip4
>       Charter page: http://www.ietf.org/html.charters/mip4-charter.html
> Supplemental site: http://www.mip4.org/
>
>