IETF Logo Mail Archive

Re: [Mip4] Does MIP support RegReq authentication without having to do timekeeping?

"Kent Leung (kleung)" <kleung@cisco.com> Thu, 14 March 2013 19:20 UTC

Return-Path: <kleung@cisco.com>
X-Original-To: mip4@ietfa.amsl.com
Delivered-To: mip4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB08911E81B8 for <mip4@ietfa.amsl.com>; Thu, 14 Mar 2013 12:20:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BsZgpOlNGk3R for <mip4@ietfa.amsl.com>; Thu, 14 Mar 2013 12:20:18 -0700 (PDT)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) by ietfa.amsl.com (Postfix) with ESMTP id DD1CD11E80F2 for <mip4@ietf.org>; Thu, 14 Mar 2013 12:20:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3284; q=dns/txt; s=iport; t=1363288817; x=1364498417; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=oZzBaJYGxbWmQdaahxcTDZHs5RC4+VrtQzNhagtIboQ=; b=RapoGIOUYkdO0Xc2hofQwvoeXNyGXxUxZmIsvh7XGWGFNHGQWb8/YdOi mivE/O+9v5Pn5coFFTqeLgW9ejhY89nZM7N3PkaEAcl1jpslCua5+JoYF Cn/uQGEDVvDvBmX4b3AU0yQTgbaAESUewxHgmPGl31JkgkLg+vBualEx8 Y=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgEFAI0hQlGtJV2b/2dsb2JhbABDxQKBZRZ0gisBAQEDAQEBAWsLBQcEAgEIEQQBAQsdBycLFAkIAgQBDQUIAYgFBgzBa41PDgl/MQIFBoJZYQOIPp8cgVSBNoIo
X-IronPort-AV: E=Sophos;i="4.84,846,1355097600"; d="scan'208";a="187614528"
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by rcdn-iport-3.cisco.com with ESMTP; 14 Mar 2013 19:20:17 +0000
Received: from xhc-rcd-x03.cisco.com (xhc-rcd-x03.cisco.com [173.37.183.77]) by rcdn-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id r2EJKHk9025482 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 14 Mar 2013 19:20:17 GMT
Received: from xmb-aln-x03.cisco.com ([169.254.6.8]) by xhc-rcd-x03.cisco.com ([173.37.183.77]) with mapi id 14.02.0318.004; Thu, 14 Mar 2013 14:20:17 -0500
From: "Kent Leung (kleung)" <kleung@cisco.com>
To: Alexandru Petrescu <alexandru.petrescu@gmail.com>, Ahmad Muhanna <amuhanna@awardsolutions.com>
Thread-Topic: [Mip4] Does MIP support RegReq authentication without having to do timekeeping?
Thread-Index: AQHOIOVj5IvDl6+vSUiwtmVfOnfckpilj5BA
Date: Thu, 14 Mar 2013 19:20:16 +0000
Message-ID: <CD85F32117029D4F9AEF48BDEF5536AB10215B92@xmb-aln-x03.cisco.com>
References: <514206FE.7050807@gmail.com> <3359F724933DFD458579D24EAC769098857A51DC@Redwood.usa.awardsolutions.com> <51421CB9.1080100@gmail.com>
In-Reply-To: <51421CB9.1080100@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.21.115.74]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Mobile IPv4 Mailing List <mip4@ietf.org>
Subject: Re: [Mip4] Does MIP support RegReq authentication without having to do timekeeping?
X-BeenThere: mip4@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Mobility for IPv4 <mip4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mip4>, <mailto:mip4-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mip4>
List-Post: <mailto:mip4@ietf.org>
List-Help: <mailto:mip4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2013 19:20:18 -0000

Hi Alex. The nonce method is specified in the Mobile IP RFCs. But I'm not sure if any vendor supports that. If #2 works, that should address you issue.

Kent

-----Original Message-----
From: mip4-bounces@ietf.org [mailto:mip4-bounces@ietf.org] On Behalf Of Alexandru Petrescu
Sent: Thursday, March 14, 2013 11:54 AM
To: Ahmad Muhanna
Cc: Mobile IPv4 Mailing List
Subject: Re: [Mip4] Does MIP support RegReq authentication without having to do timekeeping?

Sounds reasonable to use timestamp as usual and if it fails then try the nonce... but...

Does this behaviour require modification of the HA? (we are not able to modify it, but we can modify the MR).

Le 14/03/2013 19:44, Ahmad Muhanna a écrit :
> Hi Alex,
>
> As far as I recall, RFC2002 and all updates afterwards, allow the use 
> of nonce. Basically like a challenge.
>
>> From implementation prospective; I would allow both to coexist as
>> follows:
> 1. Both HA and MR uses timestamp as normal and no issue there.

Yes.

> 2. When the MR fails or start NOT to have a valid time, the MR should 
> have remembered the last RRP ID which is based on timestamp and use 
> that for Re-Registration.

Ok, this could be done.

> 3. At the HA, it should check timestamp first, if it passes then 
> timestamp continues to work; if it fails, the HA should check the 
> Re-Registration ID against the last ID that was sent in the last RRP, 
> if it is the same, the HA should allow the RRP to go through.

This is a modification to the HA implementation, isn't it?

Alex

>
> I Hope this helps!
>
> Cheers!
>
> Best Regards, Ahmad
>
> -----Original Message----- From: mip4-bounces@ietf.org 
> [mailto:mip4-bounces@ietf.org] On Behalf Of Alexandru Petrescu Sent:
> Thursday, March 14, 2013 12:21 PM To: Mobile IPv4 Mailing List
> Subject: [Mip4] Does MIP support RegReq authentication without having 
> to do timekeeping?
>
> MIP4 participants,
>
> I would like to learn whether Mobile IPv4 spec supports an 
> authentication scheme for RegReq/RegRep which does not rely on 
> timekeeping.
>
> Let me explain why.
>
> We use a Mobile Router in a moving network that gets connected to the 
> Home Agent.  The Mobile Router's power supply may be turned off (its 
> battery dies out after an extended period of inactivity, like in a 
> vehicle).  At that point the MR looses its time.
>
> When it finally wakes up, it has to perform a Registration Req/Rep 
> with the HA, without assuming that its time is correct.  Or, the
> MIP4 regreq/regrep HA implementation that we use seems to rely on 
> having the right time, otherwise the registration fails.
>
> Under these conditions, is it possible to use an auth mechanism which 
> does not rely on timekeeping?
>
> Alex
>
> -- Mip4 mailing list: Mip4@ietf.org Web interface:
> https://www.ietf.org/mailman/listinfo/mip4 Charter page:
> http://www.ietf.org/html.charters/mip4-charter.html Supplemental
> site: http://www.mip4.org/
>
>


--
Mip4 mailing list: Mip4@ietf.org
    Web interface: https://www.ietf.org/mailman/listinfo/mip4
     Charter page: http://www.ietf.org/html.charters/mip4-charter.html
Supplemental site: http://www.mip4.org/

v2.23.0 | Report a Bug | By Email