Re: [Mip6] Summary of Justification for AlternativeAuthenticationOption
"James Kempf" <kempf@docomolabs-usa.com> Sat, 25 September 2004 08:48 UTC
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA13126 for <mip6-web-archive@ietf.org>; Sat, 25 Sep 2004 04:48:12 -0400 (EDT)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CB8LD-0007eu-Cx for mip6-web-archive@ietf.org; Sat, 25 Sep 2004 04:55:39 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CB8AQ-00086R-Ak; Sat, 25 Sep 2004 04:44:30 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CB86m-0007Lv-Av for mip6@megatron.ietf.org; Sat, 25 Sep 2004 04:40:44 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA12902 for <mip6@ietf.org>; Sat, 25 Sep 2004 04:40:41 -0400 (EDT)
Received: from key1.docomolabs-usa.com ([216.98.102.225] helo=fridge.docomolabs-usa.com ident=fwuser) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CB8Dl-0007Z7-RS for mip6@ietf.org; Sat, 25 Sep 2004 04:48:09 -0400
Message-ID: <004401c4a2db$6c3e0d40$576015ac@dcml.docomolabsusa.com>
From: James Kempf <kempf@docomolabs-usa.com>
To: Basavaraj.Patil@nokia.com, mip6@ietf.org, gdommety@cisco.com
References: <697DAA22C5004B4596E033803A7CEF4403B1BE7C@daebe007.americas.nokia.com>
Subject: Re: [Mip6] Summary of Justification for AlternativeAuthenticationOption
Date: Sat, 25 Sep 2004 01:41:09 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 932cba6e0228cc603da43d861a7e09d8
Content-Transfer-Encoding: 7bit
X-BeenThere: mip6@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: mip6.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/mip6>, <mailto:mip6-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:mip6@ietf.org>
List-Help: <mailto:mip6-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/mip6>, <mailto:mip6-request@ietf.org?subject=subscribe>
Sender: mip6-bounces@ietf.org
Errors-To: mip6-bounces@ietf.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 2ed806e2f53ff1a061ad4f97e00345ac
Content-Transfer-Encoding: 7bit
Raj,
Whether we agree is not the point, the point is that Gopal's email was
ostensibly a summary of the discussion on the list, and I believe it missed
an important point that I brought up, namely that IETF cannot mandate
whether an operator enables their HA to accept both kinds of traffic or not,
and if we standardize two ways of doing the same thing - even if we mandate
that the HA support both - an operator can decide to support only one
causing an interoperability problem.
Additonally, I believe Gopal's summary misrepresented my position. My
position is not one of unqualified support for the authentication option. It
is:
- We should select either IPsec or the authentication option (RFC 1958, if
there's two choices for the same functionality, choose one).
- Since we have already standardized IPsec and the authentication option is
only of interest to cdma2K operators, we should process the authentication
option as an informational draft and *NOT* an Internet standard.
I hope that makes my position clearer. I hope, in the future, that the WG
chairs will strive to be a little more accurate and objective when
performing concensus calls.
jak
----- Original Message -----
From: <Basavaraj.Patil@nokia.com>
To: <kempf@docomolabs-usa.com>; <mip6@ietf.org>; <gdommety@cisco.com>
Sent: Friday, September 24, 2004 8:51 AM
Subject: RE: [Mip6] Summary of Justification for
AlternativeAuthenticationOption
James,
I disagree with the need for having such a mechanism in view of the fact
that an HA is expected to support both the authentication schemes
mandatorily.
-BPa
>
> Gopal,
>
> I believe you missed the need for some mechanism to allow an
> MN to determine
> which authentication technique to use. Without this, there is an
> interoperability problem, because the MN cannot infer simply from the
> failure of the signaling that it should try the other method.
>
> jak
>
> ----- Original Message -----
> From: "Gopal Dommety" <gdommety@cisco.com>
> To: <mip6@ietf.org>
> Sent: Thursday, September 23, 2004 2:55 PM
> Subject: [Mip6] Summary of Justification for Alternative
> AuthenticationOption
>
>
> > Hello All,
> >
> > I am attaching a summary of the discussion
> that took place on
> > justification of an alternate authentication mechanism.
> Please let me
> know if
> > I have left out any important issue in the summary. I could
> have also
> mis-read
> > people opinions, so if there is a correction please let me
> know. I will
> > send a follow-up
> > email with the next steps.
> >
> >
> > Thanks,
> > -Gopal
> >
> >
> > Summary
> > =======
> >
> > The WG has been engaged in a discussion over the last week on the
> > topic of standardizing an authentication date suboption based
> > mechanism for the purpose of registering an MN with its HA via the
> > BU/BAck messages.
> > To summarize the discussion in brief:
> > 1. The I-D draft-patil-mip6-whyauthdataoption-00.txt was used as the
> > baseline for the discussion
> > 2. Opinion was expressed that the I-D was more inclined in
> justifying
> > why the use of IKE was a problem for setting up the
> MN-HA IPsec SA
> > and not really providing sufficient justifications for an
> > alternative scheme to the use of IPsec for securing the
> signaling
> > messages between the MN and HA
> > 3. There were a few people who expressed strong views of
> keeping IPsec
> > as the only means for MIP6 security between MN and HA
> (Francis and
> > Hesham (?))
> > 4. There were others who claimed the need for an alternate option to
> > MIP6 including one operator who plans to deploy the protocol in
> > their network (Raj, James Kempf, Alpesh, Gopal, Kuntal,
> Vijay, Michael
> Roe)
> > 5. There was also a note from an implementers perspective on the
> > challenges of integrating MIP6 with IPsec (Michael Roe)
> > 6. There was discussion about the problem of replay attacks and the
> > need for key refreshment
> > 7. IKEv2 is expected to provide a solution to the problem of setting
> > up dynamic SAs in networks that rely on AAA
> infrastructures. While
> > IKEv2 itself has been approved, the details of how IKEv2 is used
> > with MIP6 are still being worked out in an I-D that is not ready
> > yet.
> > 8. There was an opinion that the bootstrap work being done in the WG
> > would address the needs of the environment claimed in I-D
> > draft-patil-mip6-whyauthdataoption-00.txt
> >
> >
> > _______________________________________________
> > Mip6 mailing list
> > Mip6@ietf.org
> > https://www1.ietf.org/mailman/listinfo/mip6
> >
>
>
>
> _______________________________________________
> Mip6 mailing list
> Mip6@ietf.org
> https://www1.ietf.org/mailman/listinfo/mip6
>
_______________________________________________
Mip6 mailing list
Mip6@ietf.org
https://www1.ietf.org/mailman/listinfo/mip6
- RE: [Mip6] Summary of Justification for Alternati… Basavaraj.Patil
- Re: [Mip6] Summary of Justification for Alternati… James Kempf
- Re: [Mip6] Summary of Justification for Alternati… Gopal Dommety
- Re: [Mip6] Summary of Justification for Alternati… Gopal Dommety