Re: [Mip4] Does MIP support RegReq authentication without having to do timekeeping?

Alexandru Petrescu <alexandru.petrescu@gmail.com> Thu, 14 March 2013 19:55 UTC

Return-Path: <alexandru.petrescu@gmail.com>
X-Original-To: mip4@ietfa.amsl.com
Delivered-To: mip4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1166211E825E for <mip4@ietfa.amsl.com>; Thu, 14 Mar 2013 12:55:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.945
X-Spam-Level:
X-Spam-Status: No, score=-9.945 tagged_above=-999 required=5 tests=[AWL=0.304, BAYES_00=-2.599, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7hfFdJkLNPhb for <mip4@ietfa.amsl.com>; Thu, 14 Mar 2013 12:55:09 -0700 (PDT)
Received: from sainfoin-out.extra.cea.fr (sainfoin-out.extra.cea.fr [132.167.192.145]) by ietfa.amsl.com (Postfix) with ESMTP id 4A85911E8245 for <mip4@ietf.org>; Thu, 14 Mar 2013 12:55:08 -0700 (PDT)
Received: from pisaure.intra.cea.fr (pisaure.intra.cea.fr [132.166.88.21]) by sainfoin.extra.cea.fr (8.14.2/8.14.2/CEAnet-Internet-out-2.3) with ESMTP id r2EJt2Mu005208 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 14 Mar 2013 20:55:02 +0100
Received: from muguet1.intra.cea.fr (muguet1.intra.cea.fr [132.166.192.6]) by pisaure.intra.cea.fr (8.14.4/8.14.4) with ESMTP id r2EJt2vo026236; Thu, 14 Mar 2013 20:55:02 +0100 (envelope-from alexandru.petrescu@gmail.com)
Received: from [127.0.0.1] ([132.166.86.3]) by muguet1.intra.cea.fr (8.13.8/8.13.8/CEAnet-Intranet-out-1.2) with ESMTP id r2EJsxMj030272; Thu, 14 Mar 2013 20:55:01 +0100
Message-ID: <51422AF5.1080509@gmail.com>
Date: Thu, 14 Mar 2013 20:54:29 +0100
From: Alexandru Petrescu <alexandru.petrescu@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20130307 Thunderbird/17.0.4
MIME-Version: 1.0
To: Ahmad Muhanna <amuhanna@awardsolutions.com>
References: <514206FE.7050807@gmail.com> <3359F724933DFD458579D24EAC769098857A51DC@Redwood.usa.awardsolutions.com> <51421CB9.1080100@gmail.com> <CD85F32117029D4F9AEF48BDEF5536AB10215B92@xmb-aln-x03.cisco.com> <514223C4.8010905@gmail.com> <CD85F32117029D4F9AEF48BDEF5536AB10215BCB@xmb-aln-x03.cisco.com> <3359F724933DFD458579D24EAC769098857A52C0@Redwood.usa.awardsolutions.com>
In-Reply-To: <3359F724933DFD458579D24EAC769098857A52C0@Redwood.usa.awardsolutions.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Cc: "Kent Leung \(kleung\)" <kleung@cisco.com>, Mobile IPv4 Mailing List <mip4@ietf.org>
Subject: Re: [Mip4] Does MIP support RegReq authentication without having to do timekeeping?
X-BeenThere: mip4@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Mobility for IPv4 <mip4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mip4>, <mailto:mip4-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mip4>
List-Post: <mailto:mip4@ietf.org>
List-Help: <mailto:mip4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2013 19:55:10 -0000

Le 14/03/2013 20:36, Ahmad Muhanna a écrit :
> Yep. I think what Kent said makes sense. MR will use the timestamp
> returned in the RRP with code 133 and the second RRQ should work just
> fine.

Is this timestamp in RREP the 'Identification' field shown by wireshark?

Alex

>
> I guess no need to change anything then :-)
>
> Best Regards, Ahmad
>
>
> -----Original Message----- From: Kent Leung (kleung)
> [mailto:kleung@cisco.com] Sent: Thursday, March 14, 2013 2:32 PM To:
> Alexandru Petrescu Cc: Ahmad Muhanna; Mobile IPv4 Mailing List
> Subject: RE: [Mip4] Does MIP support RegReq authentication without
> having to do timekeeping?
>
> I assumed that you had an MR that could do that. I'm not aware of any
> MR vendor that will maintain the timestamp state after recovering
> from a failure.
>
> On your original issue, wouldn't the re-registration succeed after
> the HA replies with code 133? It would take two registration messages
> from MR so it takes a little longer.
>
> Kent
>
> -----Original Message----- From: Alexandru Petrescu
> [mailto:alexandru.petrescu@gmail.com] Sent: Thursday, March 14, 2013
> 12:24 PM To: Kent Leung (kleung) Cc: Ahmad Muhanna; Mobile IPv4
> Mailing List Subject: Re: [Mip4] Does MIP support RegReq
> authentication without having to do timekeeping?
>
> Le 14/03/2013 20:20, Kent Leung (kleung) a écrit :
>> Hi Alex. The nonce method is specified in the Mobile IP RFCs. But
>> I'm not sure if any vendor supports that. If #2 works, that should
>> address you issue.
>
> This is something we should implement on the MR side.  Do you think
> the HA side already does it (I doubt?)?
>
> Alex
>
>>
>> Kent
>>
>> -----Original Message----- From: mip4-bounces@ietf.org
>> [mailto:mip4-bounces@ietf.org] On Behalf Of Alexandru Petrescu
>> Sent: Thursday, March 14, 2013 11:54 AM To: Ahmad Muhanna Cc:
>> Mobile IPv4 Mailing List Subject: Re: [Mip4] Does MIP support
>> RegReq authentication without having to do timekeeping?
>>
>> Sounds reasonable to use timestamp as usual and if it fails then
>> try the nonce... but...
>>
>> Does this behaviour require modification of the HA? (we are not
>> able to modify it, but we can modify the MR).
>>
>> Le 14/03/2013 19:44, Ahmad Muhanna a écrit :
>>> Hi Alex,
>>>
>>> As far as I recall, RFC2002 and all updates afterwards, allow the
>>> use of nonce. Basically like a challenge.
>>>
>>>> From implementation prospective; I would allow both to coexist
>>>> as follows:
>>> 1. Both HA and MR uses timestamp as normal and no issue there.
>>
>> Yes.
>>
>>> 2. When the MR fails or start NOT to have a valid time, the MR
>>> should have remembered the last RRP ID which is based on
>>> timestamp  and use that for Re-Registration.
>>
>> Ok, this could be done.
>>
>>> 3. At the HA, it should check timestamp first, if it passes then
>>> timestamp continues to work; if it fails, the HA should check
>>> the Re-Registration ID against the last ID that was sent in the
>>> last RRP, if it is the same, the HA should allow the RRP to go
>>> through.
>>
>> This is a modification to the HA implementation, isn't it?
>>
>> Alex
>>
>>>
>>> I Hope this helps!
>>>
>>> Cheers!
>>>
>>> Best Regards, Ahmad
>>>
>>> -----Original Message----- From: mip4-bounces@ietf.org
>>> [mailto:mip4-bounces@ietf.org] On Behalf Of Alexandru Petrescu
>>> Sent: Thursday, March 14, 2013 12:21 PM To: Mobile IPv4 Mailing
>>> List Subject: [Mip4] Does MIP support RegReq authentication
>>> without having to do timekeeping?
>>>
>>> MIP4 participants,
>>>
>>> I would like to learn whether Mobile IPv4 spec supports an
>>> authentication scheme for RegReq/RegRep which does not rely on
>>> timekeeping.
>>>
>>> Let me explain why.
>>>
>>> We use a Mobile Router in a moving network that gets connected to
>>> the Home Agent.  The Mobile Router's power supply may be turned
>>> off (its battery dies out after an extended period of inactivity,
>>> like in a vehicle).  At that point the MR looses its time.
>>>
>>> When it finally wakes up, it has to perform a Registration
>>> Req/Rep with the HA, without assuming that its time is correct.
>>> Or, the MIP4 regreq/regrep HA implementation that we use seems to
>>> rely on having the right time, otherwise the registration fails.
>>>
>>> Under these conditions, is it possible to use an auth mechanism
>>> which does not rely on timekeeping?
>>>
>>> Alex
>>>
>>> -- Mip4 mailing list: Mip4@ietf.org Web interface:
>>> https://www.ietf.org/mailman/listinfo/mip4 Charter page:
>>> http://www.ietf.org/html.charters/mip4-charter.html Supplemental
>>> site: http://www.mip4.org/
>>>
>>>
>>
>>
>> -- Mip4 mailing list: Mip4@ietf.org Web interface:
>> https://www.ietf.org/mailman/listinfo/mip4 Charter page:
>> http://www.ietf.org/html.charters/mip4-charter.html Supplemental
>> site: http://www.mip4.org/
>>
>>
>
>
>
>