IETF Logo Mail Archive

Re: [netext] Security question on anycast mode of draft-ietf-netext-redirect-01

jouni korhonen <jouni.nospam@gmail.com> Fri, 30 April 2010 04:25 UTC

Return-Path: <jouni.nospam@gmail.com>
X-Original-To: netext@core3.amsl.com
Delivered-To: netext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 815FF3A69FD for <netext@core3.amsl.com>; Thu, 29 Apr 2010 21:25:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.74
X-Spam-Level:
X-Spam-Status: No, score=-0.74 tagged_above=-999 required=5 tests=[BAYES_20=-0.74]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wJWJ-d87pDRt for <netext@core3.amsl.com>; Thu, 29 Apr 2010 21:25:33 -0700 (PDT)
Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.155]) by core3.amsl.com (Postfix) with ESMTP id 8A4C03A69FE for <netext@ietf.org>; Thu, 29 Apr 2010 21:25:29 -0700 (PDT)
Received: by fg-out-1718.google.com with SMTP id l26so2160777fgb.13 for <netext@ietf.org>; Thu, 29 Apr 2010 21:25:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:mime-version :content-type:from:in-reply-to:date:cc:content-transfer-encoding :message-id:references:to:x-mailer; bh=rtqne5kGgDfI7SYvJzn3Gf675ZNC9kdPGUWM0Nqfmcw=; b=Bf8hAbbiD47fMWm0hRUc/NSG9FMtLBO8Ywli+HoGvr1vU3Y/vmxBsodAAr8Y2i7R1Q 5K0RYQXHf3H5ZI8bV5jTF71De7jdcAPsXEUCvB4UDDpHYpi0Qou8MqtDXzBR0ZFi5Uyo 2aMoZKpbQH/xu37CrhigVgjIZDRKP5tIc9swg=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; b=NkxfQUVDPKM9eS++6zkk117MCjZMP1LlJM+ipMTeujlLrtAz86C/rLNQld+mcHa7NP oOiJsUdEf2VG9ItzbOOiWEYznE9FWAEOaSiLt0ZtbtmFAhkunD1ehmiC2h1V5Q7trPzs e4RtR1b/YPdQ3J3rDwl2RXn+M4UjrUPDTc2MU=
Received: by 10.87.1.7 with SMTP id d7mr3068078fgi.75.1272601512847; Thu, 29 Apr 2010 21:25:12 -0700 (PDT)
Received: from 85-156-155-129.elisa-mobile.fi (85-156-155-129.elisa-mobile.fi [85.156.155.129]) by mx.google.com with ESMTPS id g28sm2163392fkg.28.2010.04.29.21.24.02 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 29 Apr 2010 21:25:11 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1078)
Content-Type: text/plain; charset="us-ascii"
From: jouni korhonen <jouni.nospam@gmail.com>
In-Reply-To: <BF345F63074F8040B58C00A186FCA57F1EFEFD75E3@NALASEXMB04.na.qualcomm.com>
Date: Fri, 30 Apr 2010 07:16:46 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <83C58D2A-6A70-4B12-8E46-F0DB32F8E343@gmail.com>
References: <BF345F63074F8040B58C00A186FCA57F1EFEFD75E3@NALASEXMB04.na.qualcomm.com>
To: "Laganier, Julien" <julienl@qualcomm.com>
X-Mailer: Apple Mail (2.1078)
Cc: "netext@ietf.org" <netext@ietf.org>, "draft-ietf-netext-redirect@tools.ietf.org" <draft-ietf-netext-redirect@tools.ietf.org>
Subject: Re: [netext] Security question on anycast mode of draft-ietf-netext-redirect-01
X-BeenThere: netext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "Mailing list for discusion of extensions to network mobility protocol, i.e PMIP6. " <netext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/netext>, <mailto:netext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netext>
List-Post: <mailto:netext@ietf.org>
List-Help: <mailto:netext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netext>, <mailto:netext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Apr 2010 04:25:36 -0000

Hi Julien,

On Apr 29, 2010, at 2:15 AM, Laganier, Julien wrote:

> Hello,
> 
> I have a security question on the anycast mode described in Section 1 of the draft:
> 
>   o  Support for IPv6 anycast addressing [RFC4291]: the current PMIPv6
>      specification does not specify how the PMIPv6 protocol should
>      treat anycast addresses assigned to mobility agents.  Although
>      [RFC4291] now allows using anycast addresses as source addresses,
>      it does not make much sense using anycast addresses for the MAG to
>      the LMA communication after the initial PBU/PBA exchange.  For
>      example, a blade architecture LMA may appear to the routing system
>      as multiple LMAs with separate unicast IP addresses and with one
>      or more "grouping" anycast addresses.
> 
> I understand from the above that a group of LMA would be addressed with a common anycast address, and the first PBU would be sent to this anycast address, and redirection would follow to one of the unicast addresses of a specific LMA.

Subsequent PBUs would be sent to a unicast address of a specific LMA.

> 
> If that is correct, I am wondering how will the SA between the MAG and the anycast LMA be looked up?

In the same way as SAs for unicast addresses. If SAs are build for anycast addresses, you basically have to fall back to manual keying of SAs (i.e. multiple LMAs share the same keys etc) and in most cases give up with replay protection (unless LMAs are somehow able to share sequence number state). Other than those, there is no difference to SA configuration or usage compared to the unicast case.

- Jouni



> 
> --julien

v2.23.0 | Report a Bug | By Email