Re: [MEXT] RFC 3775bis: mandate on the use of IPsec
arno@natisbad.org (Arnaud Ebalard) Fri, 21 November 2008 16:51 UTC
Return-Path: <mext-bounces@ietf.org>
X-Original-To: mip6-archive@megatron.ietf.org
Delivered-To: ietfarch-mip6-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 160F028C0EA; Fri, 21 Nov 2008 08:51:59 -0800 (PST)
X-Original-To: mext@core3.amsl.com
Delivered-To: mext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 72E8128C0EB for <mext@core3.amsl.com>; Fri, 21 Nov 2008 08:51:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id miypHK+mysag for <mext@core3.amsl.com>; Fri, 21 Nov 2008 08:51:56 -0800 (PST)
Received: from copper.chdir.org (copper.chdir.org [88.191.97.87]) by core3.amsl.com (Postfix) with ESMTP id 67D193A6A60 for <mext@ietf.org>; Fri, 21 Nov 2008 08:51:56 -0800 (PST)
Received: from [2001:7a8:78df:2:20d:93ff:fe55:8f78] (helo=localhost.localdomain) by copper.chdir.org with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <arno@natisbad.org>) id 1L3ZES-0000PK-Va; Fri, 21 Nov 2008 17:51:49 +0100
From: arno@natisbad.org
To: Alper Yegin <alper.yegin@yegin.org>
References: <016901c94bf2$cc3abc60$64b03520$@yegin@yegin.org>
X-PGP-Key-URL: http://natisbad.org/arno@natisbad.org.asc
X-Fingerprint: 47EB 85FE B99A AB85 FD09 46F3 0255 957C 047A 5026
X-Hashcash: 1:20:081121:alper.yegin@yegin.org::6gkaIvZkT989CHa6:00000000000000000000000000000000000000000XA9
X-Hashcash: 1:20:081121:mext@ietf.org::8shrOMBKi+madXW3:00001gSo
X-Hashcash: 1:20:081121:charliep@computer.org::8wwHTGKjLjl5WOWG:00000000000000000000000000000000000000001XrM
Date: Fri, 21 Nov 2008 08:50:03 -0800
In-Reply-To: <016901c94bf2$cc3abc60$64b03520$@yegin@yegin.org> (Alper Yegin's message of "Fri, 21 Nov 2008 18:04:10 +0200")
Message-ID: <877i6xm3b8.fsf@natisbad.org>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.2 (gnu/linux)
MIME-Version: 1.0
Cc: charliep@computer.org, mext@ietf.org
Subject: Re: [MEXT] RFC 3775bis: mandate on the use of IPsec
X-BeenThere: mext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Mobile IPv6 EXTensions WG <mext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/mext>
List-Post: <mailto:mext@ietf.org>
List-Help: <mailto:mext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: mext-bounces@ietf.org
Errors-To: mext-bounces@ietf.org
"Alper Yegin" <alper.yegin@yegin.org> writes: > Another issue with RFC 3775 is with the following text: > > The mobile node and the home agent MUST use an IPsec security > association to protect the integrity and authenticity of the Binding > Updates and Acknowledgements. > > Given the presence of RFC 4285 (and its adoption) it does not make sense to > mandate "use of IPsec." It's not like we expect RFC 4285 users to run it on > top of IPsec because RFC 3775 mandates use of IPsec J > > Note that we already took care of this with RFC 5213 which says: > > The mobile access gateway and the local mobility anchor MUST > implement IPsec for protecting the Proxy Mobile IPv6 signaling > messages [RFC4301]. IPsec is a mandatory-to-implement security > mechanism. However, additional documents may specify alternative > mechanisms and the mobility entities can enable a specific mechanism > for securing Proxy Mobile IPv6 signaling messages, based on either a > static configuration or after a dynamic negotiation using any > standard security negotiation protocols. IPsec has been chosen as the solution to protect MIPv6 signaling and data (3775, 3776, 4877, ...). One good argument (IMHO) was that IPv6 node are all expected to implement IPsec. Maybe we can argue on this IPv6 requirement for constrained devices but mext is not the place to do that. AFAICT, afterwhile, some specific captive environments with security at the link level and specific habits felt the need to have a lighter, possibly less powerful (in term of evolution and security wise) solution. [whyauth] explains that perfectly, IMHO. 4285 is a *specific* solution dedicated to a specific set of environments. MIPv6 security mechanisms (based IPsec/IKE) probably have their own drawbacks (requiring availability and integration between those components) but it covers most cases and generic networks. For instance, w/ a RFC4285-only based MIPv6 (no IPsec), which L3 security mechanism would be available to protect the communications between MN and HA? BTW, arguing against IPsec as the MIPv6 security protocol in the context of 3775bis does not make sense. Cheers, a+ [whyauth] : http://tools.ietf.org/html/draft-ietf-mip6-whyauthdataoption-07.html _______________________________________________ MEXT mailing list MEXT@ietf.org https://www.ietf.org/mailman/listinfo/mext
- Re: [MEXT] RFC 3775bis: mandate on the use of IPs… Hesham Soliman
- [MEXT] RFC 3775bis: mandate on the use of IPsec Alper Yegin
- Re: [MEXT] RFC 3775bis: mandate on the use of IPs… Arnaud Ebalard
- Re: [MEXT] RFC 3775bis: mandate on the use of IPs… Alper Yegin
- Re: [MEXT] RFC 3775bis: mandate on the use of IPs… Arnaud Ebalard
- Re: [MEXT] RFC 3775bis: mandate on the use of IPs… Alper Yegin