RE: HMIPv6 Security Model (Was Re: [Mipshop] Extension of the WG Last Callondraft-ietf-mipshop-4140bis-00.txt)
"Hesham Soliman" <Hesham@elevatemobile.com> Wed, 29 August 2007 00:22 UTC
Return-path: <mipshop-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IQBKX-0006h2-II; Tue, 28 Aug 2007 20:22:45 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IQBKV-0006gP-SP for mipshop@ietf.org; Tue, 28 Aug 2007 20:22:43 -0400
Received: from omta03ps.mx.bigpond.com ([144.140.82.155]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1IQBKT-00056F-Iy for mipshop@ietf.org; Tue, 28 Aug 2007 20:22:42 -0400
Received: from oaamta03ps.mx.bigpond.com ([124.190.104.34]) by omta03ps.mx.bigpond.com with ESMTP id <20070829002237.KTYR13239.omta03ps.mx.bigpond.com@oaamta03ps.mx.bigpond.com> for <mipshop@ietf.org>; Wed, 29 Aug 2007 00:22:38 +0000
Received: from PC20005 ([124.190.104.34]) by oaamta03ps.mx.bigpond.com with ESMTP id <20070829002236.OJU15707.oaamta03ps.mx.bigpond.com@PC20005>; Wed, 29 Aug 2007 00:22:36 +0000
From: Hesham Soliman <Hesham@elevatemobile.com>
To: "'Narayanan, Vidya'" <vidyan@qualcomm.com>, 'Vijay Devarapalli' <vijay.devarapalli@AzaireNet.com>
Subject: RE: HMIPv6 Security Model (Was Re: [Mipshop] Extension of the WG Last Callondraft-ietf-mipshop-4140bis-00.txt)
Date: Wed, 29 Aug 2007 10:22:33 +1000
Message-ID: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAAZgswlBrljUKcZNe3mbTCm8KAAAAQAAAAQeNnTl1UaEGyABxar9LV5QEAAAAA@elevatemobile.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
In-Reply-To: <C24CB51D5AA800449982D9BCB90325138D165A@NAEX13.na.qualcomm.com>
Thread-Index: Acfpi6V4qwRv+4/QSIOXbi0CBZfXtQAEOhFAAA1u2CA=
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 31b28e25e9d13a22020d8b7aedc9832c
Cc: mipshop@ietf.org, draft-ietf-mipshop-4140bis@tools.ietf.org
X-BeenThere: mipshop@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: mipshop.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/mipshop>, <mailto:mipshop-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:mipshop@ietf.org>
List-Help: <mailto:mipshop-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/mipshop>, <mailto:mipshop-request@ietf.org?subject=subscribe>
Errors-To: mipshop-bounces@ietf.org
Actually, I think the misunderstanding is deeper than that. HMIPv6 never assumed a particular authorisatiom model because it never needed that. We made it very clear when 4140 was published that a form of oppotunistic IPsec would suffice. However, some people wanted a particular deployment model which required authorisation certs ....etc. So, the point to know here is that the authorisation requirements are **deployment** security models and *not* HMIPv6 security models. The protocol security is fine with any of those options. Hesham > -----Original Message----- > From: Narayanan, Vidya [mailto:vidyan@qualcomm.com] > Sent: Wednesday, August 29, 2007 3:59 AM > To: Vijay Devarapalli; Hesham Soliman > Cc: Julien Laganier; mipshop@ietf.org; > draft-ietf-mipshop-4140bis@tools.ietf.org > Subject: RE: HMIPv6 Security Model (Was Re: [Mipshop] > Extension of the WG Last Callondraft-ietf-mipshop-4140bis-00.txt) > > I think there may be a misunderstanding here. Based on earlier > discussions, we were assuming that the MAP is *always* interested in > authenticating the MN identity and ensuring it is authorized > for HMIPv6. > That led to our having a MUST on EAPoIKEv2 support. > However, based on > current discussions, I'm saying that not all networks may > want that type > of authorization in order to provide HMIPv6 service. In > that case, the > support for EAP is in fact, optional on the MAP. > Deployments that are > interested in the authorization aspects will ensure that the MAPs > deployed in their networks support EAP. > > So, the point here is that RFC4306, as specified is sufficient and we > don't need to change any of the normative behavior of IKEv2 > responders. > We do need to add text to clarify what type of authentication is > appropriate for what kind of environments. > > Vidya > > > -----Original Message----- > > From: Vijay Devarapalli [mailto:vijay.devarapalli@AzaireNet.com] > > Sent: Tuesday, August 28, 2007 8:54 AM > > To: Hesham Soliman > > Cc: Narayanan, Vidya; 'Julien Laganier'; mipshop@ietf.org; > > draft-ietf-mipshop-4140bis@tools.ietf.org > > Subject: HMIPv6 Security Model (Was Re: [Mipshop] Extension > > of the WG Last Callondraft-ietf-mipshop-4140bis-00.txt) > > > > Hello, > > > > We seem to be changing the security model assumed for HMIPv6. > > > > My earlier understanding of the HMIPv6 security model is that > > the MAP would like to authenticate the user before granting > > "HMIPv6 service". > > Since the MN and the MAP share no security credentials, the > > MAP has to go back to the home network of the MN to > > authenticate the MN. So EAP support on the MAP was mandated. > > > > A related issue - HMIPv6 may be deployed in an environment > > where the visited network that hosts the MAP would like to > > charge for the "HMIPv6 service". This means the home network > > must be involved in the authentication and authorization. > > > > We now seem to be moving towards a "first come, first serve" > > basis, where the MAP allows the MN HMIPv6 service with a > > self-signed certificate or with BTNS. But once a binding is > > created, the MAP ensures it is the same MN all the time. > > > > I would be fine with the second one, as long as we document > > the new security model. But this might prevent some of the > > deployments I described above. > > > > Vijay > > > > Hesham Soliman wrote: > > > Hi Vidya, all, > > > > > > Thanks for the comments. First I want to say that I > > completely agree > > > with you and Julien on the fact that we don't need to > > mandate EAP. The > > > reason I went along with it was the chairs call for > mandating one > > > method for authentication. I'm very happy with mandating > > self signed > > > certs instead of EAP as the default mechanism. Let's do > > this as a part of the comments on LC. > > > Once we finish receiving comments I'll send this question > > to the list. > > > > > > On the question of binding the ids to the RCoA, I think > > again we're in > > > agreement but we're using different words to express that. > > I think the > > > MAP only needs to know that future BUs were secured by > the same MN > > > that it originally allocated the RCoA. Of course one > would do this > > > indirectly by inferring that since the same key was used to > > secure the > > > BU, then the BU came from the same MN. So there would be > no need to > > > physically tie the MN identity (i nthe form of self signed > > cert or EAP id) to the binding. > > > > > > Hesham > > > > > > > -----Original Message----- > > > > From: Narayanan, Vidya [mailto:vidyan@qualcomm.com] > Sent: > > > Tuesday, August 28, 2007 3:38 AM > To: Hesham Soliman; Julien > > > Laganier; mipshop@ietf.org > Cc: > > > draft-ietf-mipshop-4140bis@tools.ietf.org; Vijay Devarapalli > > > > Subject: RE: [Mipshop] Extension of the WG Last > > > > Callondraft-ietf-mipshop-4140bis-00.txt > > > > > > > > Hi Hesham, Julien, > > > > Just commenting on one point below. > > > > > > > > <snip> > > > > > > > > > > > > > > > > But w.r.t. to the MN, I do not think the MAP needs > > to > > > > > > authenticate it in > the traditional use of the term, i.e. > > > > > verifying the MN identity, and > binding the security > > > > > association established with the MN to that > identity. > > > > > > > > > > => I think we definitely need to bind the SA to the > > identity > > > > > of the MN, otherwise another MN would steal it. But I do > > > agree > > > that the identity of the MN itself is not that important. > > > > > So Verifying the identity during the IKE exchange is > > > > > typically not important, while binding the identity to the > > > > RCoA > > > is important. > > > > > > > > > > > > > The resultant SA must be bound to the RCoA, but, not > > > necessarily > > > to the > identity as known by the EAP method (or the IKEv2 > > IDi), for > > > instance. > > > > In essence, if we separated the "identity" concept from > > the > "IP > > > address" > > > > concept, the SA must be bound to the latter, but, not > > > > necessarily to the > former. > > > > > > > > That actually questions the MUST on the EAP in IKEv2 > > support, which > > > I > think is the point Julien was making. It is an > interesting > > > > point that > has merit in my view. I know we decided on a > > "MUST" on > > > EAP to avoid > forcing PSKs between MNs and MAPs (which is > > > impractical) and to > alternatively avoid forcing certs on MNs > > > (which, depending on who you > ask, would also be qualified as > > > impractical :)). But, > unless the MAP is > interested > > in checking > > > any "authorization" for the MN's use of HMIP > service, an > > > authentication on its identity should not be needed. In > > those > > > environments, it would be sufficient to go with a > > > self-signed cert > > > > from the MN or perhaps with something that BTNS is > > working > on (I > > > haven't > been following the BTNS work - so, can't say that for > > > sure)... > > > > > > > > I recall that we had a discussion earlier and > concluded that > > > > support for > EAP on the MAP must be mandated.. But, I > think it is > > > worth > reconsidering > whether we need to change any of > > the IKEv2 > > > recommendations > at all based > on this point. > > > > > > > > Thanks, > > > > Vidya > > > > > > > > > > > > > > > _______________________________________________ Mipshop mailing list Mipshop@ietf.org https://www1.ietf.org/mailman/listinfo/mipshop
- [Mipshop] WG Last Call on draft-ietf-mipshop-4140… Vijay Devarapalli
- Re: [Mipshop] WG Last Call on draft-ietf-mipshop-… Vijay Devarapalli
- Re: [Mipshop] WG Last Call on draft-ietf-mipshop-… Suresh Krishnan
- [Mipshop] Extension of the WG Last Call on draft-… Vijay Devarapalli
- Re: [Mipshop] Extension of the WG Last Call ondra… Frank Xia
- Re: [Mipshop] Extension of the WG Last Call on dr… Jari Arkko
- RE: [Mipshop] Extension of the WG Last Callon dra… Hesham Soliman
- Re: [Mipshop] Extension of the WG Last Call on dr… Thomas C Schmidt
- RE: [Mipshop] Extension of the WG LastCall on dra… Hesham Soliman
- Re: [Mipshop] Extension of the WG Last Call on dr… Julien Laganier
- RE: [Mipshop] Extension of the WG Last Call ondra… Hesham Soliman
- Re: RE: [Mipshop] Extension of the WG Last Call o… Greg Daley
- RE: [Mipshop] Extension of the WG Last Callondraf… Narayanan, Vidya
- RE: [Mipshop] Extension of the WG Last Callondraf… Hesham Soliman
- Re: [Mipshop] Extension of the WG Last Call ondra… Julien Laganier
- HMIPv6 Security Model (Was Re: [Mipshop] Extensio… Vijay Devarapalli
- RE: [Mipshop] Extension of the WG Last Callondraf… Hesham Soliman
- Re: [Mipshop] Extension of the WG Last Call ondra… Julien Laganier
- Re: [Mipshop] Extension of the WG Last Call ondra… Vijay Devarapalli
- Re: [Mipshop] Extension of the WG Last Callondraf… Julien Laganier
- Re: [Mipshop] Extension of the WG Last Callondraf… Julien Laganier
- Re: HMIPv6 Security Model (Was Re: [Mipshop] Exte… Julien Laganier
- Re: [Mipshop] Extension of the WG Last Call ondra… Julien Laganier
- RE: HMIPv6 Security Model (Was Re: [Mipshop] Exte… Narayanan, Vidya
- RE: [Mipshop] Extension of the WG Last Callondraf… Narayanan, Vidya
- Re: [Mipshop] Extension of the WG Last Call ondra… Vijay Devarapalli
- RE: HMIPv6 Security Model (Was Re: [Mipshop] Exte… Hesham Soliman
- RE: [Mipshop] Extension of the WG Last Callondraf… Hesham Soliman
- RE: [Mipshop] Extension of the WG Last Call ondra… Hesham Soliman
- Re: [Mipshop] Extension of the WG Last Call ondra… Vijay Devarapalli
- RE: [Mipshop] Extension of the WG Last Call ondra… Hesham Soliman
- RE: [Mipshop] Extension of the WG Last Callondraf… Narayanan, Vidya
- RE: [Mipshop] Extension of the WG Last Callondraf… Narayanan, Vidya
- Re: [Mipshop] Extension of the WG Last Callondraf… Julien Laganier
- [Mipshop] Conclusion of the WG Last Call on draft… Vijay Devarapalli