Re: CGA-based HoA generation for MIP6 (was RE: [Mipshop] Review of draft-arkko-mipshop-cga-cba-04)
Christian Vogt <chvogt@tm.uka.de> Tue, 15 August 2006 11:08 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GCwmJ-0006OD-O9; Tue, 15 Aug 2006 07:08:11 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GCwmI-0006O8-Jz for mipshop@ietf.org; Tue, 15 Aug 2006 07:08:10 -0400
Received: from iramx1.ira.uni-karlsruhe.de ([141.3.10.80]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GCwmG-0008Ob-4H for mipshop@ietf.org; Tue, 15 Aug 2006 07:08:10 -0400
Received: from i72ms2.tm.uni-karlsruhe.de ([141.3.70.17] helo=smtp.ipv6.tm.uni-karlsruhe.de) by iramx1.ira.uni-karlsruhe.de with esmtps id 1GCwm2-0002TW-C5; Tue, 15 Aug 2006 13:08:00 +0200
Received: from [IPv6:2001:638:204:6:20c:6eff:fe40:8d95] (archimedes.ipv6.tm.uni-karlsruhe.de [IPv6:2001:638:204:6:20c:6eff:fe40:8d95]) by smtp.ipv6.tm.uni-karlsruhe.de (Postfix) with ESMTP id 24972BF47; Tue, 15 Aug 2006 13:07:54 +0200 (CEST)
Message-ID: <44E1AB09.2070904@tm.uka.de>
Date: Tue, 15 Aug 2006 13:07:53 +0200
From: Christian Vogt <chvogt@tm.uka.de>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; de; rv:1.8.0.5) Gecko/20060725 SUSE/1.5.0.5-0.1 Thunderbird/1.5.0.5 Mnenhy/0.7.4.0
MIME-Version: 1.0
To: "Narayanan, Vidya" <vidyan@qualcomm.com>
Subject: Re: CGA-based HoA generation for MIP6 (was RE: [Mipshop] Review of draft-arkko-mipshop-cga-cba-04)
References: <C24CB51D5AA800449982D9BCB903251311A60A@NAEX13.na.qualcomm.com>
In-Reply-To: <C24CB51D5AA800449982D9BCB903251311A60A@NAEX13.na.qualcomm.com>
X-Enigmail-Version: 0.94.0.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Spam-Score: -4.5 (----)
X-Spam-Status: No
X-Spam-Report: -1.8 ALL_TRUSTED Passed through trusted hosts only via SMTP -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.0000] -0.1 AWL AWL: From: address is in the auto white-list
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 73734d43604d52d23b3eba644a169745
Cc: mipshop@ietf.org, Jari Arkko <jari.arkko@piuha.net>
X-BeenThere: mipshop@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: mipshop.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/mipshop>, <mailto:mipshop-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:mipshop@ietf.org>
List-Help: <mailto:mipshop-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/mipshop>, <mailto:mipshop-request@ietf.org?subject=subscribe>
Errors-To: mipshop-bounces@ietf.org
Narayanan, Vidya wrote: >> Good question! I do not recall if this has been analyzed during the >> design of cga-cba draft. But taking a look at >> draft-ietf-mip6-ikev2-ipsec, it does allow the mobile node to >> suggest what address to use. I'm not sure the draft says anything >> about discovering the prefix first before suggesting an address >> (which would be needed for CGAs), but this seems in general >> possible in IKEv2. Vijay, are you listening? > > That is one part of the open question. The other part is to analyze > whether this has any implication for the home bindings itself - i.e., > if the HA knows that this is a CGA-based HoA and if it needs to be > asserted via a signature, etc. For the moment, I think I can look at > it both ways :) But, this needs to be thought through further. That's very true. >From a security perspective, I don't currently see a requirement for the HA to know that the HoA is CGA-based, given that all MN-HA security is IPsec-based: - During bootstrapping, the HA authenticates the MN, assigns or accepts a HoA, and binds the HoA to the MN's identity. - During further binding updates, IPsec will again be used to authenticate the MN, and HoA ownership can then be verified by looking at the MN-HoA binding established during bootstrapping. >From a practical standpoint, there may be a benefit for the HA to know that the MN's HoA is CGA-based. E.g., the same public key may be used for the IPsec SA and for generation of the CGA-based HoA. This may help the HA in verifying whether the MN is authorized to use a specific HoA. If SEND is used on the home link, proxying the MN's CGA-based HoA would be an issue. But all this is actually orthogonal to the CGA-CBA protocol IMO; I don't see it's critical. What do you think? - Christian -- Christian Vogt, Institute of Telematics, Universitaet Karlsruhe (TH) www.tm.uka.de/~chvogt/pubkey/ Narayanan, Vidya wrote: >> Jari Arkko wrote: >> >> Narayanan, Vidya wrote: >> >>> One question regarding CGA-based HoAs - don't we need to specify >>> how CGA-based HoAs impact home registrations? For instance, the >> preferred >>> HoA bootstrapping mechanism today is using IKEv2. I'd >> imagine that we >>> will need to specify how a CGA-based HoA is generated after >> MPD and how >>> that binding is registered with the HA (i.e., does it need >> to be signed? >>> Does the HA also need to know if the HoA has been generated using >>> CGAs?). >>> >>> >> Good question! I do not recall if this has been analyzed during the >> design of cga-cba draft. But taking a look at >> draft-ietf-mip6-ikev2-ipsec, it does allow the mobile node to >> suggest what address to use. I'm not sure the draft says anything >> about discovering the prefix first before suggesting an address >> (which would be needed for CGAs), but this seems in general >> possible in IKEv2. Vijay, are you listening? >> > > That is one part of the open question. The other part is to analyze > whether this has any implication for the home bindings itself - i.e., > if the HA knows that this is a CGA-based HoA and if it needs to be > asserted via a signature, etc. For the moment, I think I can look at > it both ways :) But, this needs to be thought through further. > > This would have significant implications to the cga-cba work, in the > sense that if we determine that home bindings will need to change, > that needs to be first standardized and then CGA-based RO can be > built on top of that. > > Vidya _______________________________________________ Mipshop mailing list Mipshop@ietf.org https://www1.ietf.org/mailman/listinfo/mipshop
- [Mipshop] Review of draft-arkko-mipshop-cga-cba-04 Narayanan, Vidya
- Re: [Mipshop] Review of draft-arkko-mipshop-cga-c… Wassim Haddad
- RE: [Mipshop] Review of draft-arkko-mipshop-cga-c… Narayanan, Vidya
- [Mipshop] Review of draft-arkko-mipshop-cga-cba-04 Lakshminath Dondeti
- RE: [Mipshop] Review of draft-arkko-mipshop-cga-c… Narayanan, Vidya
- Re: [Mipshop] Review of draft-arkko-mipshop-cga-c… Christian Vogt
- Re: [Mipshop] Review of draft-arkko-mipshop-cga-c… Christian Vogt
- Flooding Attacks and MIP6 (was RE: [Mipshop] Revi… Narayanan, Vidya
- CGA-based HoA generation for MIP6 (was RE: [Mipsh… Narayanan, Vidya
- Re: Flooding Attacks and MIP6 (was RE: [Mipshop] … Jari Arkko
- RE: CGA-based HoA generation for MIP6 (was RE: [M… Narayanan, Vidya
- RE: Flooding Attacks and MIP6 (was RE: [Mipshop] … Narayanan, Vidya
- Re: CGA-based HoA generation for MIP6 (was RE: [M… Jari Arkko
- Re: Flooding Attacks and MIP6 (was RE: [Mipshop] … Vijay Devarapalli
- RE: Flooding Attacks and MIP6 (was RE: [Mipshop] … Narayanan, Vidya
- Re: Flooding Attacks and MIP6 (was RE: [Mipshop] … Christian Vogt
- Re: Flooding Attacks and MIP6 (was RE: [Mipshop] … Christian Vogt
- Re: CGA-based HoA generation for MIP6 (was RE: [M… Christian Vogt
- Re: CGA-based HoA generation for MIP6 (was RE: [M… Jari Arkko
- Re: CGA-based HoA generation for MIP6 (was RE: [M… Lakshminath Dondeti
- RE: CGA-based HoA generation for MIP6 (was RE: [M… Narayanan, Vidya
- RE: CGA-based HoA generation for MIP6 (was RE: [M… Wassim Haddad
- Re: CGA-based HoA generation for MIP6 (was RE: [M… Christian Vogt
- Re: CGA-based HoA generation for MIP6 (was RE: [M… Lakshminath Dondeti
- Re: Flooding Attacks and MIP6 (was RE: [Mipshop] … Jari Arkko
- Re: CGA-based HoA generation for MIP6 (was RE: [M… Christian Vogt
- Re: CGA-based HoA generation for MIP6 (was RE: [M… Christian Vogt
- Re: CGA-based HoA generation for MIP6 (was RE: [M… Vijay Devarapalli
- RE: Flooding Attacks and MIP6 (was RE: [Mipshop] … Narayanan, Vidya
- RE: Flooding Attacks and MIP6 (was RE: [Mipshop] … Christian Vogt
- RE: Flooding Attacks and MIP6 (was RE: [Mipshop] … Narayanan, Vidya