Re: CGA-based HoA generation for MIP6 (was RE: [Mipshop] Review of draft-arkko-mipshop-cga-cba-04)

Hi Lakshminath,

we do HoA authorization in any case.  The question is how:

(a)  According to RFC 3775, the HA binds the MN's HoA to the IPsec SA
during bootstrapping and re-verifies the HoA whenever it receives a BU
from the MN.

(b)  An alternative to this would be to have the HA verify the MN's HoA
based on a CGA property.  This is what Vidya brought in.

Given that approach (a) already exists for HoA verification (it's the
default), there is actually no strong need for an additional approach
(b), although it may be handy in some deployments.

Best,
- Christian

-- 
Christian Vogt, Institute of Telematics, Universitaet Karlsruhe (TH)
www.tm.uka.de/~chvogt/pubkey/

Lakshminath Dondeti wrote:
> At 05:37 AM 8/15/2006, Jari Arkko wrote:
>> Christian Vogt wrote:
>> 
>>> From a security perspective, I don't currently see a requirement 
>>> for the HA to know that the HoA is CGA-based, given that all 
>>> MN-HA security is IPsec-based:
>> 
>> Agreed.
> 
> I am confused by this and trying to understand the statement.
> Doesn't this really depend on the security requirements?  CGAs and
> secure channels (IPsec SA) provide very different things.  We might
> say that there are no current requirements for HoA authorization and
> I can buy that, but saying that the presence of an IPsec-based secure
> channel obviates the need for CGAs confuses me.  What am I missing?
> 
> regards, Lakshminath

_______________________________________________
Mipshop mailing list
Mipshop@ietf.org
https://www1.ietf.org/mailman/listinfo/mipshop