Re: [Mip4] Does MIP support RegReq authentication without having to do timekeeping?
Ahmad Muhanna <amuhanna@awardsolutions.com> Thu, 14 March 2013 19:37 UTC
Return-Path: <amuhanna@awardsolutions.com>
X-Original-To: mip4@ietfa.amsl.com
Delivered-To: mip4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CDDD11E81FD for <mip4@ietfa.amsl.com>; Thu, 14 Mar 2013 12:37:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9JTFlgOHrKAQ for <mip4@ietfa.amsl.com>; Thu, 14 Mar 2013 12:37:00 -0700 (PDT)
Received: from exprod8og118.obsmtp.com (exprod8og118.obsmtp.com [64.18.3.36]) by ietfa.amsl.com (Postfix) with ESMTP id B3B0611E8205 for <mip4@ietf.org>; Thu, 14 Mar 2013 12:37:00 -0700 (PDT)
Received: from mail.awardsolutions.com ([66.142.250.98]) (using TLSv1) by exprod8ob118.postini.com ([64.18.7.12]) with SMTP ID DSNKUUIm2gLBL2alnX1FBahzmq7sbzG/ovRj@postini.com; Thu, 14 Mar 2013 12:37:00 PDT
Received: from REDWOOD.usa.awardsolutions.com ([fe80::a1f1:7708:4a71:9fee]) by Redwood.usa.awardsolutions.com ([fe80::a1f1:7708:4a71:9fee%11]) with mapi id 14.01.0438.000; Thu, 14 Mar 2013 14:36:46 -0500
From: Ahmad Muhanna <amuhanna@awardsolutions.com>
To: "Kent Leung (kleung)" <kleung@cisco.com>, Alexandru Petrescu <alexandru.petrescu@gmail.com>
Thread-Topic: [Mip4] Does MIP support RegReq authentication without having to do timekeeping?
Thread-Index: AQHOIOVj5IvDl6+vSUiwtmVfOnfckpilj5BAgABVXgD//6zD0IAAAnGQ
Date: Thu, 14 Mar 2013 19:36:45 +0000
Message-ID: <3359F724933DFD458579D24EAC769098857A52C0@Redwood.usa.awardsolutions.com>
References: <514206FE.7050807@gmail.com> <3359F724933DFD458579D24EAC769098857A51DC@Redwood.usa.awardsolutions.com> <51421CB9.1080100@gmail.com> <CD85F32117029D4F9AEF48BDEF5536AB10215B92@xmb-aln-x03.cisco.com> <514223C4.8010905@gmail.com> <CD85F32117029D4F9AEF48BDEF5536AB10215BCB@xmb-aln-x03.cisco.com>
In-Reply-To: <CD85F32117029D4F9AEF48BDEF5536AB10215BCB@xmb-aln-x03.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.25.208.42]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Mobile IPv4 Mailing List <mip4@ietf.org>
Subject: Re: [Mip4] Does MIP support RegReq authentication without having to do timekeeping?
X-BeenThere: mip4@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Mobility for IPv4 <mip4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mip4>, <mailto:mip4-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mip4>
List-Post: <mailto:mip4@ietf.org>
List-Help: <mailto:mip4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2013 19:37:01 -0000
Yep. I think what Kent said makes sense. MR will use the timestamp returned in the RRP with code 133 and the second RRQ should work just fine. I guess no need to change anything then :-) Best Regards, Ahmad -----Original Message----- From: Kent Leung (kleung) [mailto:kleung@cisco.com] Sent: Thursday, March 14, 2013 2:32 PM To: Alexandru Petrescu Cc: Ahmad Muhanna; Mobile IPv4 Mailing List Subject: RE: [Mip4] Does MIP support RegReq authentication without having to do timekeeping? I assumed that you had an MR that could do that. I'm not aware of any MR vendor that will maintain the timestamp state after recovering from a failure. On your original issue, wouldn't the re-registration succeed after the HA replies with code 133? It would take two registration messages from MR so it takes a little longer. Kent -----Original Message----- From: Alexandru Petrescu [mailto:alexandru.petrescu@gmail.com] Sent: Thursday, March 14, 2013 12:24 PM To: Kent Leung (kleung) Cc: Ahmad Muhanna; Mobile IPv4 Mailing List Subject: Re: [Mip4] Does MIP support RegReq authentication without having to do timekeeping? Le 14/03/2013 20:20, Kent Leung (kleung) a écrit : > Hi Alex. The nonce method is specified in the Mobile IP RFCs. But I'm > not sure if any vendor supports that. If #2 works, that should address > you issue. This is something we should implement on the MR side. Do you think the HA side already does it (I doubt?)? Alex > > Kent > > -----Original Message----- From: mip4-bounces@ietf.org > [mailto:mip4-bounces@ietf.org] On Behalf Of Alexandru Petrescu Sent: > Thursday, March 14, 2013 11:54 AM To: Ahmad Muhanna Cc: Mobile IPv4 > Mailing List Subject: Re: [Mip4] Does MIP support RegReq > authentication without having to do timekeeping? > > Sounds reasonable to use timestamp as usual and if it fails then try > the nonce... but... > > Does this behaviour require modification of the HA? (we are not able > to modify it, but we can modify the MR). > > Le 14/03/2013 19:44, Ahmad Muhanna a écrit : >> Hi Alex, >> >> As far as I recall, RFC2002 and all updates afterwards, allow the use >> of nonce. Basically like a challenge. >> >>> From implementation prospective; I would allow both to coexist as >>> follows: >> 1. Both HA and MR uses timestamp as normal and no issue there. > > Yes. > >> 2. When the MR fails or start NOT to have a valid time, the MR should >> have remembered the last RRP ID which is based on timestamp and use >> that for Re-Registration. > > Ok, this could be done. > >> 3. At the HA, it should check timestamp first, if it passes then >> timestamp continues to work; if it fails, the HA should check the >> Re-Registration ID against the last ID that was sent in the last RRP, >> if it is the same, the HA should allow the RRP to go through. > > This is a modification to the HA implementation, isn't it? > > Alex > >> >> I Hope this helps! >> >> Cheers! >> >> Best Regards, Ahmad >> >> -----Original Message----- From: mip4-bounces@ietf.org >> [mailto:mip4-bounces@ietf.org] On Behalf Of Alexandru Petrescu >> Sent: Thursday, March 14, 2013 12:21 PM To: Mobile IPv4 Mailing List >> Subject: [Mip4] Does MIP support RegReq authentication without having >> to do timekeeping? >> >> MIP4 participants, >> >> I would like to learn whether Mobile IPv4 spec supports an >> authentication scheme for RegReq/RegRep which does not rely on >> timekeeping. >> >> Let me explain why. >> >> We use a Mobile Router in a moving network that gets connected to the >> Home Agent. The Mobile Router's power supply may be turned off (its >> battery dies out after an extended period of inactivity, like in a >> vehicle). At that point the MR looses its time. >> >> When it finally wakes up, it has to perform a Registration Req/Rep >> with the HA, without assuming that its time is correct. Or, the >> MIP4 regreq/regrep HA implementation that we use seems to rely on >> having the right time, otherwise the registration fails. >> >> Under these conditions, is it possible to use an auth mechanism which >> does not rely on timekeeping? >> >> Alex >> >> -- Mip4 mailing list: Mip4@ietf.org Web interface: >> https://www.ietf.org/mailman/listinfo/mip4 Charter page: >> http://www.ietf.org/html.charters/mip4-charter.html Supplemental >> site: http://www.mip4.org/ >> >> > > > -- Mip4 mailing list: Mip4@ietf.org Web interface: > https://www.ietf.org/mailman/listinfo/mip4 Charter page: > http://www.ietf.org/html.charters/mip4-charter.html Supplemental > site: http://www.mip4.org/ > >
- [Mip4] Does MIP support RegReq authentication wit… Alexandru Petrescu
- Re: [Mip4] Does MIP support RegReq authentication… Ahmad Muhanna
- Re: [Mip4] Does MIP support RegReq authentication… Alexandru Petrescu
- Re: [Mip4] Does MIP support RegReq authentication… Kent Leung (kleung)
- Re: [Mip4] Does MIP support RegReq authentication… Ahmad Muhanna
- Re: [Mip4] Does MIP support RegReq authentication… Alexandru Petrescu
- Re: [Mip4] Does MIP support RegReq authentication… Kent Leung (kleung)
- Re: [Mip4] Does MIP support RegReq authentication… Alexandru Petrescu
- Re: [Mip4] Does MIP support RegReq authentication… Ahmad Muhanna
- Re: [Mip4] Does MIP support RegReq authentication… Kent Leung (kleung)
- Re: [Mip4] Does MIP support RegReq authentication… Alexandru Petrescu
- Re: [Mip4] Does MIP support RegReq authentication… Alexandru Petrescu
- Re: [Mip4] Does MIP support RegReq authentication… Ahmad Muhanna
- Re: [Mip4] Does MIP support RegReq authentication… Kent Leung (kleung)
- Re: [Mip4] Does MIP support RegReq authentication… Alexandru Petrescu
- Re: [Mip4] Does MIP support RegReq authentication… Alexandru Petrescu
- Re: [Mip4] Does MIP support RegReq authentication… Ahmad Muhanna
- Re: [Mip4] Does MIP support RegReq authentication… Kent Leung (kleung)
- Re: [Mip4] Does MIP support RegReq authentication… Alexandru Petrescu
- Re: [Mip4] Does MIP support RegReq authentication… Kent Leung (kleung)
- Re: [Mip4] Does MIP support RegReq authentication… Alexandru Petrescu
- Re: [Mip4] Does MIP support RegReq authentication… Kent Leung (kleung)
- Re: [Mip4] Does MIP support RegReq authentication… Ahmad Muhanna
- Re: [Mip4] Does MIP support RegReq authentication… Alexandru Petrescu
- Re: [Mip4] Does MIP support RegReq authentication… Alexandru Petrescu
- Re: [Mip4] Does MIP support RegReq authentication… Kent Leung (kleung)
- Re: [Mip4] Does MIP support RegReq authentication… Alexandru Petrescu
- Re: [Mip4] Does MIP support RegReq authentication… Ahmad Muhanna
- Re: [Mip4] Does MIP support RegReq authentication… Alexandru Petrescu
- Re: [Mip4] Does MIP support RegReq authentication… Ahmad Muhanna