Re: [Mip6] Summary of Justification for Alternative Authentication Option
Francis Dupont <Francis.Dupont@enst-bretagne.fr> Sun, 26 September 2004 17:39 UTC
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA20442 for <mip6-web-archive@ietf.org>; Sun, 26 Sep 2004 13:39:01 -0400 (EDT)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CBd6j-0004tV-P5 for mip6-web-archive@ietf.org; Sun, 26 Sep 2004 13:46:46 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CBcxt-0000yb-HL; Sun, 26 Sep 2004 13:37:37 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CBcoe-0000Ti-3G for mip6@megatron.ietf.org; Sun, 26 Sep 2004 13:28:04 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA20140 for <mip6@ietf.org>; Sun, 26 Sep 2004 13:28:01 -0400 (EDT)
Received: from laposte.rennes.enst-bretagne.fr ([192.44.77.17]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CBcw6-0004lW-5R for mip6@ietf.org; Sun, 26 Sep 2004 13:35:46 -0400
Received: from givry.rennes.enst-bretagne.fr (givry.rennes.enst-bretagne.fr [193.52.74.194]) by laposte.rennes.enst-bretagne.fr (8.11.6p2/8.11.6/2003.04.01) with ESMTP id i8QHR3f05843; Sun, 26 Sep 2004 19:27:03 +0200
Received: from givry.rennes.enst-bretagne.fr (localhost.rennes.enst-bretagne.fr [127.0.0.1]) by givry.rennes.enst-bretagne.fr (8.12.3/8.12.3) with ESMTP id i8QHR3Sj077583; Sun, 26 Sep 2004 19:27:03 +0200 (CEST) (envelope-from dupont@givry.rennes.enst-bretagne.fr)
Message-Id: <200409261727.i8QHR3Sj077583@givry.rennes.enst-bretagne.fr>
From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
To: Gopal Dommety <gdommety@cisco.com>
Subject: Re: [Mip6] Summary of Justification for Alternative Authentication Option
In-reply-to: Your message of Thu, 23 Sep 2004 14:55:05 PDT. <4.3.2.7.2.20040923143829.029e1a48@mira-sjc5-d.cisco.com>
Date: Sun, 26 Sep 2004 19:27:03 +0200
X-Virus-Scanned: by amavisd-milter (http://amavis.org/) at enst-bretagne.fr
X-Spam-Score: 0.0 (/)
X-Scan-Signature: b4a0a5f5992e2a4954405484e7717d8c
Cc: mip6@ietf.org
X-BeenThere: mip6@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: mip6.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/mip6>, <mailto:mip6-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:mip6@ietf.org>
List-Help: <mailto:mip6-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/mip6>, <mailto:mip6-request@ietf.org?subject=subscribe>
Sender: mip6-bounces@ietf.org
Errors-To: mip6-bounces@ietf.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 92df29fa99cf13e554b84c8374345c17
In your previous mail you wrote:
Summary
=======
The WG has been engaged in a discussion over the last week on the
topic of standardizing an authentication date suboption based
=> I believe "standardizing" means to make it a Proposed Standard,
doesn't it?
mechanism for the purpose of registering an MN with its HA via the
BU/BAck messages.
To summarize the discussion in brief:
1. The I-D draft-patil-mip6-whyauthdataoption-00.txt was used as the
baseline for the discussion
2. Opinion was expressed that the I-D was more inclined in justifying
why the use of IKE was a problem for setting up the MN-HA IPsec SA
and not really providing sufficient justifications for an
alternative scheme to the use of IPsec for securing the signaling
messages between the MN and HA
3. There were a few people who expressed strong views of keeping IPsec
as the only means for MIP6 security between MN and HA (Francis and
Hesham (?))
4. There were others who claimed the need for an alternate option to
MIP6 including one operator who plans to deploy the protocol in
their network (Raj, James Kempf, Alpesh, Gopal, Kuntal, Vijay,
Michael Roe)
=> you should be more accurate: just alternate option or standardized
alternate option?
5. There was also a note from an implementers perspective on the
challenges of integrating MIP6 with IPsec (Michael Roe)
6. There was discussion about the problem of replay attacks and the
need for key refreshment
7. IKEv2 is expected to provide a solution to the problem of setting
up dynamic SAs in networks that rely on AAA infrastructures. While
IKEv2 itself has been approved, the details of how IKEv2 is used
with MIP6 are still being worked out in an I-D that is not ready
yet.
=> IMHO the main problem with an IKEv2 based solution is that there is
no public implementation... Another point is that IKEv2 does not support
home agent allocation.
8. There was an opinion that the bootstrap work being done in the WG
would address the needs of the environment claimed in I-D
draft-patil-mip6-whyauthdataoption-00.txt
=> some AAA/EAP based solutions are already ready (i.e., implemented)
and of course they support home agent allocation.
There are some other points:
- we were supposed to ask an advice from security area directors
- the requirement level of auth data option is still not clear enough
- if the auth data option is only for the 3GPP2 environment there is
no reason to standardize it at the IETF: the 3GPP2 can require what
it wants in its own environment. If it likes to get an IETF document,
an informational RFC should be enough and even faster (less possible
concerns from the IESG).
Some of these points were already mentioned on the list...
Regards
Francis.Dupont@enst-bretagne.fr
_______________________________________________
Mip6 mailing list
Mip6@ietf.org
https://www1.ietf.org/mailman/listinfo/mip6
- [Mip6] Summary of Justification for Alternative A… Gopal Dommety
- Re: [Mip6] Summary of Justification for Alternati… Vijay Devarapalli
- Re: [Mip6] Summary of Justification for Alternati… James Kempf
- Re: [Mip6] Summary of Justification for Alternati… Gopal Dommety
- Re: [Mip6] Summary of Justification for Alternati… Francis Dupont
- Re: [Mip6] Summary of Justification for Alternati… Gopal Dommety