Re: [Mip6] bootstrap problem definition
Francis Dupont <Francis.Dupont@enst-bretagne.fr> Mon, 01 March 2004 06:06 UTC
Received: from optimus.ietf.org (optimus.ietf.org [132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id BAA08051 for <mip6-archive@odin.ietf.org>; Mon, 1 Mar 2004 01:06:00 -0500 (EST)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AxgYU-0001Yg-Vw for mip6-archive@odin.ietf.org; Mon, 01 Mar 2004 01:05:31 -0500
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i2165UKt005989 for mip6-archive@odin.ietf.org; Mon, 1 Mar 2004 01:05:30 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AxgYU-0001YW-RP for mip6-web-archive@optimus.ietf.org; Mon, 01 Mar 2004 01:05:30 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id BAA08028 for <mip6-web-archive@ietf.org>; Mon, 1 Mar 2004 01:05:29 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1AxgYS-0006Vt-00 for mip6-web-archive@ietf.org; Mon, 01 Mar 2004 01:05:28 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1AxgXW-0006Qh-00 for mip6-web-archive@ietf.org; Mon, 01 Mar 2004 01:04:31 -0500
Received: from optimus.ietf.org ([132.151.1.19]) by ietf-mx with esmtp (Exim 4.12) id 1AxgX1-0006Ln-00 for mip6-web-archive@ietf.org; Mon, 01 Mar 2004 01:03:59 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AxgX2-0001GM-Md; Mon, 01 Mar 2004 01:04:00 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AxgWT-0001FI-0P for mip6@optimus.ietf.org; Mon, 01 Mar 2004 01:03:25 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id BAA07934 for <mip6@ietf.org>; Mon, 1 Mar 2004 01:03:23 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1AxgWQ-0006K6-00 for mip6@ietf.org; Mon, 01 Mar 2004 01:03:22 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1AxgVS-0006Eg-00 for mip6@ietf.org; Mon, 01 Mar 2004 01:02:23 -0500
Received: from laposte.rennes.enst-bretagne.fr ([192.44.77.17]) by ietf-mx with esmtp (Exim 4.12) id 1AxgUX-00064c-00 for mip6@ietf.org; Mon, 01 Mar 2004 01:01:25 -0500
Received: from givry.rennes.enst-bretagne.fr (givry.rennes.enst-bretagne.fr [193.52.74.194]) by laposte.rennes.enst-bretagne.fr (8.11.6p2/8.11.6/2003.04.01) with ESMTP id i2160mw07307; Mon, 1 Mar 2004 07:00:49 +0100
Received: from givry.rennes.enst-bretagne.fr (localhost.rennes.enst-bretagne.fr [127.0.0.1]) by givry.rennes.enst-bretagne.fr (8.12.3/8.12.3) with ESMTP id i2160mSj053082; Mon, 1 Mar 2004 07:00:48 +0100 (CET) (envelope-from dupont@givry.rennes.enst-bretagne.fr)
Message-Id: <200403010600.i2160mSj053082@givry.rennes.enst-bretagne.fr>
From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
To: Jari Arkko <jari.arkko@kolumbus.fi>
cc: mip6@ietf.org, James Kempf <kempf@docomolabs-usa.com>
Subject: Re: [Mip6] bootstrap problem definition
In-reply-to: Your message of Sat, 28 Feb 2004 14:26:47 +0200. <40408907.7000805@kolumbus.fi>
Date: Mon, 01 Mar 2004 07:00:48 +0100
X-Virus-Scanned: by amavisd-milter (http://amavis.org/) at enst-bretagne.fr
Sender: mip6-admin@ietf.org
Errors-To: mip6-admin@ietf.org
X-BeenThere: mip6@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/mip6>, <mailto:mip6-request@ietf.org?subject=unsubscribe>
List-Id: <mip6.ietf.org>
List-Post: <mailto:mip6@ietf.org>
List-Help: <mailto:mip6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mip6>, <mailto:mip6-request@ietf.org?subject=subscribe>
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.60
In your previous mail you wrote:
> - dynamic home agent address discovery is a security nightmare: I agree
> we should not rely on it.
I agree that its a security problem, but its also possible that a future
protocol would be capable of providing home agent discovery without the
problems ;-)
=> IMHO this future protocol will at least take a long time to appear...
> - (3.1.1. Dyn H@ Assignment) dynamically assigned is not the opposite
> of statically configurated. And there are known extensions (widely
> implemented but not standardized) of IKEv1 to support dynamically
> assigned "internal" addresses.
Ok. In IKEv2 this supposed to change, as there will be a standard.
=> the draft is clearly about IKEv1 only.
Once more you have to have policy entries in place.
=> in fact this argument is not true: many IKE implementations support
dynamic policy entries which are built according the negociated
traffic selectors and authorization, or, perhaps even more common,
according the assigned "internal" address of the mobile initiator.
> - (3.2.1 AAA) Even I agree that IKE should be clearly integrated with
> an AAA system your statement that it can work only with certificates
> is not true.
Our text is too unclear here. I'm not even myself sure what this sentence
meant. But I think we can agree on the following:
- It would be desireable to integrate a MIPv6 home agent security
system with AAA (on an optional basis; end-to-end security should
still be possible)
=> Ok but I don't understand the parenthesis.
- AAA integration in IKEv1 is generally non-existent or at least
non-standardized.
=> I strongly disagree: all IKEv1 implementations for VPN are integrated
with a AAA system. Don't believe that the market didn't require this!
- AAA integration in IKEv2 should work at least if EAP authentication
is used. There's currently no "IKEv2 AAA" application defined, but
I think RFC 3579 (RADIUS EAP) or draft-ietf-aaa-eap-04.txt (Diameter EAP)
should work. One caveat: I'm not sure we have defined link layer or
service type for IPsec gateways anywhere. But that's a small detail.
=> I can look at our local IPsec VPN server. There is a RADIUS interface
but I don't know what it uses (this is a Cisco, it should be proprietary
extensions :-).
> - (3.2.2 Opp/Local discovery) The idea of using the DNS to get infos
> about the home was in a very old message of someone from Digital
> in this list (I can grep into my archive to find the reference).
Please do!
=> perhaps there is something older but I got:
> Date: Mon, 10 Apr 2000 09:15:28 -0400
> To: MOBILE-IP@STANDARDS.NORTELNETWORKS.COM
> From: "Powell, Ken" <Ken.Powell@COMPAQ.COM>
> Subject: [MOBILE-IP] Mobile IPv6 questions
>...
> Message-ID: <C99A689B0CB9D111AF3F0000F8062CCD08FB81B3@zkoexc2.zko.dec.com>
> - (4. scenarios) The first scenario (no pre-existing relationship)
> has a little chance to work with IKEv1 which requires strong
> mutual authentication and authorization.
Well, there's always opportunistic IPsec.
=> OE (Opportunistic Encryption) uses DNSSEC to solve this problem.
But I agree its in
general unworkable with the combination of MIPv6 and IKE, for
reasons that we stated in the draft.
Thanks
Francis.Dupont@enst-bretagne.fr
_______________________________________________
Mip6 mailing list
Mip6@ietf.org
https://www.ietf.org/mailman/listinfo/mip6
- [Mip6] bootstrap problem definition Jari Arkko
- RE: [Mip6] bootstrap problem definition Giaretta Gerardo
- Re: [Mip6] bootstrap problem definition Jari Arkko
- Re: [Mip6] bootstrap problem definition Francis Dupont
- Re: [Mip6] bootstrap problem definition Jari Arkko
- Re: [Mip6] bootstrap problem definition Francis Dupont