IETF Logo Mail Archive

Re: [MEXT] [RFC3775 changes] Use of DHAAD mechanism?

Alexandru Petrescu <alexandru.petrescu@gmail.com> Tue, 18 December 2007 09:00 UTC

Return-path: <mext-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1J4YJr-0006hQ-Pe; Tue, 18 Dec 2007 04:00:55 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J4YJp-0006ZW-Us for mext@ietf.org; Tue, 18 Dec 2007 04:00:53 -0500
Received: from mail119.messagelabs.com ([216.82.241.179]) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1J4YJp-0008KA-Iu for mext@ietf.org; Tue, 18 Dec 2007 04:00:53 -0500
X-VirusChecked: Checked
X-Env-Sender: alexandru.petrescu@gmail.com
X-Msg-Ref: server-8.tower-119.messagelabs.com!1197968452!27051474!1
X-StarScan-Version: 5.5.12.14.2; banners=.,-,-
X-Originating-IP: [144.189.100.101]
Received: (qmail 7093 invoked from network); 18 Dec 2007 09:00:52 -0000
Received: from motgate2.mot.com (HELO motgate2.mot.com) (144.189.100.101) by server-8.tower-119.messagelabs.com with SMTP; 18 Dec 2007 09:00:52 -0000
Received: from az33exr03.mot.com (az33exr03.mot.com [10.64.251.233]) by motgate2.mot.com (8.12.11/Motorola) with ESMTP id lBI90q7T012711; Tue, 18 Dec 2007 02:00:52 -0700 (MST)
Received: from az10vts04.mot.com (az10vts04.mot.com [10.64.251.245]) by az33exr03.mot.com (8.13.1/Vontu) with SMTP id lBI90pBW009577; Tue, 18 Dec 2007 03:00:51 -0600 (CST)
Received: from [127.0.0.1] (zfr01-2117.crm.mot.com [10.161.201.117]) by az33exr03.mot.com (8.13.1/8.13.0) with ESMTP id lBI90n7Q009490; Tue, 18 Dec 2007 03:00:50 -0600 (CST)
Message-ID: <47678C3B.5080401@gmail.com>
Date: Tue, 18 Dec 2007 10:00:43 +0100
From: Alexandru Petrescu <alexandru.petrescu@gmail.com>
User-Agent: Thunderbird 2.0.0.9 (Windows/20071031)
MIME-Version: 1.0
To: Jean-Michel Combes <jeanmichel.combes@gmail.com>
Subject: Re: [MEXT] [RFC3775 changes] Use of DHAAD mechanism?
References: <729b68be0712110521g51bde3c5wb83d8569fa170449@mail.gmail.com> <475FF84F.7000802@gmail.com> <729b68be0712171524gcc5d42xb1294369e65e72c6@mail.gmail.com>
In-Reply-To: <729b68be0712171524gcc5d42xb1294369e65e72c6@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Antivirus: avast! (VPS 071217-0, 17/12/2007), Outbound message
X-Antivirus-Status: Clean
X-CFilter-Loop: Reflected
X-Spam-Score: -4.0 (----)
X-Scan-Signature: 25620135586de10c627e3628c432b04a
Cc: mext@ietf.org
X-BeenThere: mext@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Mobile IPv6 EXTensions WG <mext.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/mext>
List-Post: <mailto:mext@ietf.org>
List-Help: <mailto:mext-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=subscribe>
Errors-To: mext-bounces@ietf.org

Jean-Michel Combes wrote:
> Hi Alex,
> 
> 2007/12/12, Alexandru Petrescu <alexandru.petrescu@gmail.com>:
>> Jean-Michel Combes wrote:
>>> Hi,
>>> 
>>> 
>>> Section, sub-section and paragraph involved: 5.3, 6.5, 6.6, 10.5,
>>>  11.4.1
>>> 
>>> OLD TEXT: --
>>> 
>>> NEW TEXT: None
>>> 
>>> Motivations: - Two proposals have been specified and adopted by
>>> the MIP6 WG to allow a MN to get its HA (i.e. bootstrapping
>>> mechanisms for the split and the integrated scenario). - The
>>> present DHAAD mechanism is, more or less, a scanning tool
>>> allowing anyone to know what/where are the HAs owned by a
>>> Mobility Service Provider. - AFAIK, DHAAD has not a critical use
>>> in others MIPv6 based protocols
>>> 
>>> So, I wonder if it is still useful to keep the DHAAD mechanism in
>>> the MIPv6 specification.
>>> 
>>> Comments are welcome.
>> I support keeping DHAAD in the current spec.  If necessary, I can 
>> suggest new clarifying text saying that DHAAD used in conjunction
>> with MPD and a proper IPsec SA setting leads to effective HA
>> address and Home Address bootstrapping on MN while at home and
>> while away from home.
> 
> In your reply, there are 2 points:
> 
> o DHAAD is unsecured

I'm not sure how much insecure it is.  I agree that the semantics of a
anycast address seem less securable than a unicast address (with IPsec.)

> I strongly agree and this is one reason of this thread. There was a
> long discussion, IIRC, at Yokohama about this point but, again IIRC,
> at the moment, DHAAD was the only mechanism for a MN to discover its
> potential HAs. There were drafts about this security issue and
> potential solutions: at first to secure DHAAD
> (draft-dupont-mip6-dhaadharmful) and, later, the MIPv6 bootstrapping
> solution in the split scenario (draft-dupont-ikev2-haassign).

Any address discovery mechanism has an insecurity part in it.  DHCPv6 
has too.

It's not like there's a secure counterpart that we should use instead of 
the insecure DHAAD.

IKEv2 could securely assign the HA and maybe the HoA too, but maybe has 
too many message exchanges.

> o DHAAD as alternative MIPv6 bootstrapping solution That would mean
> to keep a third MIPv6 bootstrapping solution.

I'd call it a 0th :-)

> So, IHMO, I still don't see concrete/critical reasons to keep the 
> DHAAD mechanism in the RFC3775bis.

Ok, let's see.

Alex


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

_______________________________________________
MEXT mailing list
MEXT@ietf.org
https://www1.ietf.org/mailman/listinfo/mext

v2.23.0 | Report a Bug | By Email