Re: CGA-based HoA generation for MIP6 (was RE: [Mipshop] Review of draft-arkko-mipshop-cga-cba-04)

[Christian Vogt <chvogt@tm.uka.de>]

Narayanan, Vidya wrote:
>> Good question! I do not recall if this has been analyzed during the
>> design of cga-cba draft. But taking a look at 
>> draft-ietf-mip6-ikev2-ipsec, it does allow the mobile node to 
>> suggest what address to use. I'm not sure the draft says anything
>> about discovering the prefix first before suggesting an address
>> (which would be needed for CGAs), but this seems in general
>> possible in IKEv2. Vijay, are you listening?
> 
> That is one part of the open question. The other part is to analyze 
> whether this has any implication for the home bindings itself - i.e.,
> if the HA knows that this is a CGA-based HoA and if it needs to be
> asserted via a signature, etc. For the moment, I think I can look at
> it both ways :) But, this needs to be thought through further.

That's very true.

>From a security perspective, I don't currently see a requirement for the
HA to know that the HoA is CGA-based, given that all MN-HA security is
IPsec-based:

- During bootstrapping, the HA authenticates the MN, assigns or accepts
a HoA, and binds the HoA to the MN's identity.

- During further binding updates, IPsec will again be used to
authenticate the MN, and HoA ownership can then be verified by looking
at the MN-HoA binding established during bootstrapping.

>From a practical standpoint, there may be a benefit for the HA to know
that the MN's HoA is CGA-based.  E.g., the same public key may be used
for the IPsec SA and for generation of the CGA-based HoA.  This may help
the HA in verifying whether the MN is authorized to use a specific HoA.
 If SEND is used on the home link, proxying the MN's CGA-based HoA would
be an issue.  But all this is actually orthogonal to the CGA-CBA
protocol IMO; I don't see it's critical.

What do you think?

- Christian

-- 
Christian Vogt, Institute of Telematics, Universitaet Karlsruhe (TH)
www.tm.uka.de/~chvogt/pubkey/



Narayanan, Vidya wrote:
>> Jari Arkko wrote:
>> 
>> Narayanan, Vidya wrote:
>> 
>>> One question regarding CGA-based HoAs - don't we need to specify
>>> how CGA-based HoAs impact home registrations? For instance, the
>> preferred
>>> HoA bootstrapping mechanism today is using IKEv2. I'd
>> imagine that we
>>> will need to specify how a CGA-based HoA is generated after
>> MPD and how
>>> that binding is registered with the HA (i.e., does it need
>> to be signed?
>>> Does the HA also need to know if the HoA has been generated using
>>>  CGAs?).
>>> 
>>> 
>> Good question! I do not recall if this has been analyzed during the
>> design of cga-cba draft. But taking a look at 
>> draft-ietf-mip6-ikev2-ipsec, it does allow the mobile node to 
>> suggest what address to use. I'm not sure the draft says anything
>> about discovering the prefix first before suggesting an address
>> (which would be needed for CGAs), but this seems in general
>> possible in IKEv2. Vijay, are you listening?
>> 
> 
> That is one part of the open question. The other part is to analyze 
> whether this has any implication for the home bindings itself - i.e.,
> if the HA knows that this is a CGA-based HoA and if it needs to be
> asserted via a signature, etc. For the moment, I think I can look at
> it both ways :) But, this needs to be thought through further.
> 
> This would have significant implications to the cga-cba work, in the 
> sense that if we determine that home bindings will need to change,
> that needs to be first standardized and then CGA-based RO can be
> built on top of that.
> 
> Vidya



_______________________________________________
Mipshop mailing list
Mipshop@ietf.org
https://www1.ietf.org/mailman/listinfo/mipshop