RE: CGA-based HoA generation for MIP6 (was RE: [Mipshop] Review of draft-arkko-mipshop-cga-cba-04)

[Wassim Haddad <whaddad@tcs.hut.fi>]

On Tue, 15 Aug 2006, Narayanan, Vidya wrote:

> I don't know that this is true. As we know, what we get from IPsec and
> CGAs are quite orthogonal benefits. In the case where the HA assigns the
> HoA via IKEv2, HoA authorization at the HA is not needed, since the HA
> knows that the IPsec SA is tied to the owner of the corresponding HoA.
> Now, systems that allow stateless autoconfiguration of HoAs may or may
> not want to ensure that those IP addresses are authorized and verified.
> If a system employs CGAs in the network, it is actually an indication
> that the system deployment cares about IP address ownership
> verification. In this case, it actually seems to me that the HA being
> able to verify the CGA would be very valuable and needed.

=> Perhaps "very" is a strong word. Can you please clarify why?
I still fail to understand why if the MN (wanting to use RO mode with the
CN) decides to use CGA with the CN then enabling the HA to verify the CGA
is very valuable? Do you have any particular threat in mind? If not, can
you please point to the advantage?

> > >From a practical standpoint, there may be a benefit for the
> > HA to know that the MN's HoA is CGA-based.
> > >
> > Its possible to design mechanisms that employ the same tools
> > also for the home agent registrations, or use the help of the
> > home agent in the RO process. Such mechanisms would likely
> > have some advantages.
>
> Yes, I agree with the above. For this purpose, I think we should analyze
> this further to see how best RO can be actually optimized.

=> This sounds very general to me (especially that OMIPv6_CGA_CBA is
about the RO mode only). The goals that OMIPv6 aims to achieve are
clearly stated in the draft and the draft also explains why and how these
goals have been achieved. I'd be very interested if you can please clarify
what exactly you see as a problem in the RO mode (only) and would like to
see optimized?

> > E.g., you don't have to sync HA and MN code updates. IKEv2,
> > auth option, and RFC 3776 all can support CGAs, though some
> > with extra config effort.
>
> Given that MIP6 hasn't seen much deployment yet and that RO is not even
> considered in the pipeline yet in most planned MIP6 deployments even, I
> am not so concerned about code updates. I think we should work towards
> getting a fully optimized solution, so that RO in general starts looking
> more attractive than it currently is.

=> Again this sems very general. Please clarify more.
Note that other *additional* optimization (which are directly or
indirectly connected to the mobility) are already "ongoing" work.


Wassim H.

_______________________________________________
Mipshop mailing list
Mipshop@ietf.org
https://www1.ietf.org/mailman/listinfo/mipshop