RE: [Mip6] Bootstrapping DT solution draft

[Gerardo Giaretta <Gerardo.Giaretta@TILAB.COM>]

Hi Christian,

thanks for your comments. Please see inline.. 

> 
> Hi Gerardo, hi DT members,
> 
> thanks for the bootstrapping I-D; you did a very good job!
> 
> Some comments (and questions) from my side:
> 
> (1)  The DT draft doesn't yet specify the backend AAA 
> protocol, e.g., a
> Diameter application.  Is this your next step?  (IMO, considering a
> split scenario makes sense only when you specify the AAA 
> protocol, too,
> because that AAA protocol---neither the DNS lookup nor the MN-HA IKEv2
> exchange---is affected by the split.)
> 

Actually the AAA backend is out of the scope of the DT. There is a WG
item (draft-ietf-mip6-aaa-ha-goals) that described the goals for the AAA
backend interface. A new version of this document will be released based
on draft-ietf-mip6-bootstrap-split-00 and based on the solution for
integrated scenario we are working on. Then I guess that definition of
the AAA protocol should be done by AAA and RADEXT working groups. 

> (2)  Draft-ietf-mip6-ikev2-ipsec-01.txt already defines how to
> dynamically assign a HoA during the IKEv2 handshake.  Why do you use
> different Configuration Payloads?
> 

We use the same attribute for HoA assignment by the HA (i.e.
INTERNAL_IP6_ADDRESS attribute).
We use a different attribute for HoA auto-configuration (i.e.
MIP6_HOME_PREFIX): this is because the MN needs to be provided by a
network prefix and its length. This is not the purpose of
INTERNAL_IP6_ADDRESS that provides an IPv6 address to the peer.

> (3) In order to contact DNS, the MN needs IP connectivity.  Is your
> assumption that the visited network (ASP/ASA) authorizes the MN for IP
> connectivity first, and the MN bootstraps Mobile IPv6 
> thereafter?  (This
> would preclude an all-in-one solution like, e.g., the one described in
> draft-le-aaa-diameter-mobileipv6-04.txt.)
> 

In split scenario network access authentication and authentication for
mobility service are performed indipendently. That is ASA and MSA are
different entities. The DT is currently working on an integrated
solution for the scenario you mention.

> (4) Are you assuming that the DNS server belongs to the MSA?  If not,
> the MN probably won't have an SA with the DNS server, so DNS requests
> are unauthenticated and DNS responses are not encrypted.  (Note that I
> am NOT talking about DNS updates here.)  As a consequence, information
> about the home topology is accessible to anybody.  Is this an issue?
> 

We believe this is not an issue, even if there has been discussion in
the DT about that. 

The HA address can be recovered by other means anyway. If you are
referring to possible DoS attacks, I think that not revealing the HA
address during the HA Address discovery is not a viable solution. IKEv2
has mechanisms built in to discourage DoS. Moreover, the Home Agents,
like any other server in the network, should be protected against DoS
attacks, e.g. by overprovision.

> (5)  The DNS server can store multiple HA addresses, so dynamic HA
> assignment is possible in principle.  Do you assume that the 
> DNS server
> is in charge of load balancing or that it can assign a HA 
> topologically
> close to the MN?  (Fault tolerance could be handled by DHAAD.)
> 

I think both are possible. Do you think we need more text about this in
the draft?


--Gerardo

> Allright then.
> 
> - Christian
> 
> --
> Christian Vogt, Institute of Telematics, University of Karlsruhe
> www.tm.uka.de/~chvogt/pubkey/
> 
> 
> 
> Gerardo Giaretta wrote:
> > Dear WG,
> >
> > the bootstrapping DT has submitted a solution draft. The document
> > defines how a Mobile Node can bootstrap MIPv6 operations from
> > non-topological information and pre-configured security 
> credentials. The
> > solution solves the boostrapping problem when the Mobile 
> Node's mobility
> > service is authorized by a different service provider than 
> basic network
> > access (i.e. split scenario).
> >
> > The draft can be found at
> > 
> http://www.ietf.org/internet-drafts/draft-ietf-mip6-bootstrapp
ing-split-
> > 00.txt.
> >
> > The DT is currently working on optimized solutions for integrated
> > scenario (i.e. mobility service and basic network access 
> are authorized
> > by the same entity).
> >
> > Please read the document and provide comments.
> >
> > Thanks and regards,
> >
> > --Gerardo (DT editor)
> 
> 
> 


Gruppo Telecom Italia - Direzione e coordinamento di Telecom Italia S.p.A.

====================================================================
CONFIDENTIALITY NOTICE
This message and its attachments are addressed solely to the persons
above and may contain confidential information. If you have received
the message in error, be informed that any use of the content hereof
is prohibited. Please return it immediately to the sender and delete
the message. Should you have any questions, please send an e_mail to 
MailAdmin@tilab.com. Thank you
====================================================================

_______________________________________________
Mip6 mailing list
Mip6@ietf.org
https://www1.ietf.org/mailman/listinfo/mip6