IETF Logo Mail Archive

RE: CGA-based HoA generation for MIP6 (was RE: [Mipshop] Review of draft-arkko-mipshop-cga-cba-04)

"Narayanan, Vidya" <vidyan@qualcomm.com> Tue, 15 August 2006 18:02 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GD3FQ-0002LC-LK; Tue, 15 Aug 2006 14:02:40 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GD3FP-0002Kz-Cp for mipshop@ietf.org; Tue, 15 Aug 2006 14:02:39 -0400
Received: from numenor.qualcomm.com ([129.46.51.58]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GD3FM-0003OZ-W3 for mipshop@ietf.org; Tue, 15 Aug 2006 14:02:39 -0400
Received: from magus.qualcomm.com (magus.qualcomm.com [129.46.61.148]) by numenor.qualcomm.com (8.13.6/8.12.5/1.0) with ESMTP id k7FI2T8j015288 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 15 Aug 2006 11:02:30 -0700
Received: from NAEXBR03.na.qualcomm.com (naexbr03.qualcomm.com [129.46.134.172]) by magus.qualcomm.com (8.13.6/8.13.6/1.0) with ESMTP id k7FHwQg3003820; Tue, 15 Aug 2006 11:02:25 -0700 (PDT)
Received: from NAEX13.na.qualcomm.com ([129.46.51.248]) by NAEXBR03.na.qualcomm.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 15 Aug 2006 10:59:24 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: CGA-based HoA generation for MIP6 (was RE: [Mipshop] Review of draft-arkko-mipshop-cga-cba-04)
Date: Tue, 15 Aug 2006 10:59:22 -0700
Message-ID: <C24CB51D5AA800449982D9BCB903251311A6D3@NAEX13.na.qualcomm.com>
In-Reply-To: <44E1C024.8020103@piuha.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: CGA-based HoA generation for MIP6 (was RE: [Mipshop] Review of draft-arkko-mipshop-cga-cba-04)
Thread-Index: AcbAZ7fT1EG0HKivSUWDZujRGVYslwAKcRAQ
From: "Narayanan, Vidya" <vidyan@qualcomm.com>
To: Jari Arkko <jari.arkko@piuha.net>, Christian Vogt <chvogt@tm.uka.de>
X-OriginalArrivalTime: 15 Aug 2006 17:59:24.0558 (UTC) FILETIME=[8AF40AE0:01C6C094]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 0a7aa2e6e558383d84476dc338324fab
Cc: mipshop@ietf.org
X-BeenThere: mipshop@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: mipshop.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/mipshop>, <mailto:mipshop-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:mipshop@ietf.org>
List-Help: <mailto:mipshop-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/mipshop>, <mailto:mipshop-request@ietf.org?subject=subscribe>
Errors-To: mipshop-bounces@ietf.org

 

> -----Original Message-----
> From: Jari Arkko [mailto:jari.arkko@piuha.net] 
> 
> Christian Vogt wrote:
> 
> >From a security perspective, I don't currently see a requirement for 
> >the HA to know that the HoA is CGA-based, given that all 
> MN-HA security 
> >is
> >IPsec-based:
> >
> Agreed.
> 

I don't know that this is true. As we know, what we get from IPsec and
CGAs are quite orthogonal benefits. In the case where the HA assigns the
HoA via IKEv2, HoA authorization at the HA is not needed, since the HA
knows that the IPsec SA is tied to the owner of the corresponding HoA.
Now, systems that allow stateless autoconfiguration of HoAs may or may
not want to ensure that those IP addresses are authorized and verified.
If a system employs CGAs in the network, it is actually an indication
that the system deployment cares about IP address ownership
verification. In this case, it actually seems to me that the HA being
able to verify the CGA would be very valuable and needed. 


> >From a practical standpoint, there may be a benefit for the 
> HA to know 
> >that the MN's HoA is CGA-based.
> >  
> >
> Its possible to design mechanisms that employ the same tools 
> also for the home agent registrations, or use the help of the 
> home agent in the RO process. Such mechanisms would likely 
> have some advantages. 

Yes, I agree with the above. For this purpose, I think we should analyze
this further to see how best RO can be actually optimized. Actually,
considering all of this is why I suggested that if we want to get an RFC
on the cga-cba work now, it should preferably be experimental, so that,
we can move it to PS after we fully analyze the space and are convinced
this is optimized in the best possible way. 

> OTOH, there is also some value in 
> keeping the two RO and HA registration mechanisms separate. 
> E.g., you don't have to sync HA and MN code updates. IKEv2, 
> auth option, and RFC 3776 all can support CGAs, though some 
> with extra config effort.
> 

Given that MIP6 hasn't seen much deployment yet and that RO is not even
considered in the pipeline yet in most planned MIP6 deployments even, I
am not so concerned about code updates. I think we should work towards
getting a fully optimized solution, so that RO in general starts looking
more attractive than it currently is. 

Vidya

_______________________________________________
Mipshop mailing list
Mipshop@ietf.org
https://www1.ietf.org/mailman/listinfo/mipshop

v2.23.0 | Report a Bug | By Email