IETF Logo Mail Archive

Re: [netext] Stephen Farrell's Discuss on draft-ietf-netext-pmip-cp-up-separation-05: (with DISCUSS and COMMENT)

"Sri Gundavelli (sgundave)" <sgundave@cisco.com> Thu, 28 August 2014 01:04 UTC

Return-Path: <sgundave@cisco.com>
X-Original-To: netext@ietfa.amsl.com
Delivered-To: netext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAA4C1A03C5; Wed, 27 Aug 2014 18:04:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.168
X-Spam-Level:
X-Spam-Status: No, score=-15.168 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nhZKjHo0jyXJ; Wed, 27 Aug 2014 18:03:59 -0700 (PDT)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 041B01A0328; Wed, 27 Aug 2014 18:03:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=42843; q=dns/txt; s=iport; t=1409187839; x=1410397439; h=from:to:cc:subject:date:message-id:in-reply-to: mime-version; bh=DCzt9kFVyGZ/0+QHSn5DpL2XGgVlQIk4QYzHJjs1yL4=; b=ZfwAh3SRrGfC4UIE1qWxPTFjEi5klv6hh6JOhoClEeLbR7xSoWK9dWAu bmPiLbIRDNR+CVKnjj4+wiOpN15VrkAxGbrPaIt6LsG6sKa8nCjLm1Dye 5C72vnCmrOz3xw95c5TxXaiiFShbaj4wiAHOp7Cv8tMK5z49ZmhDoSCbq 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AlQNAFR//lOtJV2a/2dsb2JhbABFFoJHRlNXBIQUxiuBWwENhnhTAYEUFneEBAEBBAEBARcBTAcLEgEIOAECBC4LFBECBAENBYhCDb9VF4wdgkZlBAYBhEwFhQQCgQwBiQiCFIQthnyBW4o6gh+GZoIYgUZsAQEBAYFEgQcBAQE
X-IronPort-AV: E=Sophos; i="5.04,414,1406592000"; d="scan'208,217"; a="72999097"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by alln-iport-8.cisco.com with ESMTP; 28 Aug 2014 01:03:57 +0000
Received: from xhc-aln-x02.cisco.com (xhc-aln-x02.cisco.com [173.36.12.76]) by rcdn-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id s7S13vfR032207 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 28 Aug 2014 01:03:57 GMT
Received: from xmb-aln-x03.cisco.com ([169.254.6.223]) by xhc-aln-x02.cisco.com ([173.36.12.76]) with mapi id 14.03.0195.001; Wed, 27 Aug 2014 20:03:57 -0500
From: "Sri Gundavelli (sgundave)" <sgundave@cisco.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, The IESG <iesg@ietf.org>
Thread-Topic: [netext] Stephen Farrell's Discuss on draft-ietf-netext-pmip-cp-up-separation-05: (with DISCUSS and COMMENT)
Thread-Index: AQHPwlvx+OeeHus8aEmDnP3e/n1ViA==
Date: Thu, 28 Aug 2014 01:03:56 +0000
Message-ID: <D023CBF3.15BFFF%sgundave@cisco.com>
In-Reply-To: <53F7CDE4.6000800@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.2.3.120616
x-originating-ip: [10.32.246.213]
Content-Type: multipart/alternative; boundary="_000_D023CBF315BFFFsgundaveciscocom_"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/netext/h-hTSEEFX_egvJ6GErUbsq_P0xo
Cc: "netext@ietf.org" <netext@ietf.org>, "netext-chairs@tools.ietf.org" <netext-chairs@tools.ietf.org>, "draft-ietf-netext-pmip-cp-up-separation@tools.ietf.org" <draft-ietf-netext-pmip-cp-up-separation@tools.ietf.org>
Subject: Re: [netext] Stephen Farrell's Discuss on draft-ietf-netext-pmip-cp-up-separation-05: (with DISCUSS and COMMENT)
X-BeenThere: netext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Mailing list for discusion of extensions to network mobility protocol, i.e PMIP6. " <netext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netext>, <mailto:netext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netext/>
List-Post: <mailto:netext@ietf.org>
List-Help: <mailto:netext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netext>, <mailto:netext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Aug 2014 01:04:05 -0000

Hi Stephen,

Please see the below text on security considerations for CP and UP traffic protection. On thinking about this further, I have a feeling we are adding a additional requirement here on User-Plane node on IPsec implementation.

The base line text in RFC 5213 requires IPSec as mandatory-to-implment mechanism. However, it does not require the same for user -plane traffic protection. But, one can argue that IPSec was implemented for CP traffic protection and therefore implementation on that UP (UP-CP combo) node already existed. I cannot beat that argument, but that was not surely the original intent in RFC5213. Any ways, I'm fine having IPsec as a mandatory-to-implement on both CP and UP nodes. Please see the below text.



NEW:

The Proxy Mobile IPv6 specification [RFC5213] requires the signaling messages between the MAG and the LMA to be protected using end-to-end security association(s) offering integrity and data origin authentication. The base specification also requires IPsec a mandatory-to-implement security mechanism.

In deployments where the Control and User Plane functions on the MAG and LMA are separated and hosted on different IP nodes, the nodes hosting those respective Control Plane functions have to still meet the above the security requirement. The Proxy Mobile IPv6 signaling messages exchanged between these entities MUST be protected using end-to-end security association(s) offering integrity and data origin authentication. Furthermore, IPsec is a mandatory-to-implement security mechanism for the nodes hosting the Control Plane function of the MAG and LMA. Additional documents may specify alternative mechanisms and the mobility entities can enable a specific mechanism for securing Proxy Mobile IPv6 signaling messages, based on either a static configuration or after a dynamic negotiation using any standard security negotiation protocols.

As per the Proxy Mobile IPv6 specification, the use of IPsec for protecting the mobile node's user plane traffic is optional. This specification extends the same requirement and therefore requires the nodes hosting the User Plane functions of the MAG and the LMA to have IPsec as a mandatory-to-implement security mechanism, but make the use of IPsec as optional for User Plane traffic protection.



Text in RFC5213:


   The signaling messages, Proxy Binding Update, and Proxy Binding
   Acknowledgement, exchanged between the mobile access gateway and the
   local mobility anchor, MUST be protected using end-to-end security
   association(s) offering integrity and data origin authentication.

   The mobile access gateway and the local mobility anchor MUST
   implement IPsec for protecting the Proxy Mobile IPv6 signaling
   messages [RFC4301].  IPsec is a mandatory-to-implement security
   mechanism.  However, additional documents may specify alternative
   mechanisms and the mobility entities can enable a specific mechanism
   for securing Proxy Mobile IPv6 signaling messages, based on either a
   static configuration or after a dynamic negotiation using any
   standard security negotiation protocols.  As in Mobile IPv6
   [RFC3775], the use of IPsec for protecting a mobile node's data
   traffic is optional.


Regards
Sri




On 8/22/14 4:10 PM, "Stephen Farrell" <stephen.farrell@cs.tcd.ie<mailto:stephen.farrell@cs.tcd.ie>> wrote:



On 23/08/14 00:08, Sri Gundavelli (sgundave) wrote:
Hi Stephen,
Thanks for the review.
In this case, you're not even requiring implementation.
So if say, a MAG-UP were to talk to a LMA that is both
CP and UP, then the latter node would support IPsec for
UP, if so configured, but the MAG-UP might not even
implement IPsec.
Does that mean that you need to a a requirement here to
make IPsec MTI for the MAG-UP and LMA-UP, so that they
can interop with non-split MAGs and LMAs?
Requiring IPsec implementation on both the MAG-UP and LMA-UP nodes is a fair requirement. We can certainly state that. If an operator chooses to do so they can configures IPSec policy on LMA-UP and MAG-UP for PMIP tunnel traffic protection. This will keep the spec consistent with the base RFC5213.
The signaling between LMA-CP and MAG-CP  needs to be protected by IPsec and that is a mandatory requirement in RFC5213. No change there. This specification still requires IPsec protection for control plane traffic between MAG-CP and LMA-CP.
We will draft some text to reflect this and post it for your review.

Great thanks,
S.


Regards
Sri
On 8/22/14 3:51 PM, "Stephen Farrell" <stephen.farrell@cs.tcd.ie<mailto:stephen.farrell@cs.tcd.ie><mailto:stephen.farrell@cs.tcd.ie>> wrote:
Hiya,
Sorry for the slow response...
The indentation below is a bit messed up, I hope its clear
who's saying what.
On 13/08/14 17:45, Sri Gundavelli (sgundave) wrote:
HI Stephen,
Please see inline.
On 8/13/14 5:21 AM, "Stephen Farrell"
<stephen.farrell@cs.tcd.ie<mailto:stephen.farrell@cs.tcd.ie><mailto:stephen.farrell@cs.tcd.ie><mailto:stephen.farrell@cs.tcd.ie>> wrote:
Hiya,
A few follow ups...
On 09/08/14 17:54, Sri Gundavelli (sgundave) wrote: Hi Stephen,
Thanks for the review. Please see inline. On 8/7/14 5:50 AM, "Stephen
Farrell"
<stephen.farrell@cs.tcd.ie<mailto:stephen.farrell@cs.tcd.ie><mailto:stephen.farrell@cs.tcd.ie><mailto:stephen.farrell@cs.tcd.ie>> wrote:
I have two questions. They could be easy or hard, I'm not sure:-)
Apologies in advance if I've forgotten what little I ever knew about
PMIPv6 and gotten stuff wrong here. Not at all. Thanks for the
discussion.
(1) PMIPv6 traffic between MAG and LMA is generally assumed to be
protected via IPsec, right? Assuming that's actually done, does
figure 1 here indicate a weakening of security since it shows that IP
encapsulation is used between MAG-UP and LMA-UP without any mention
of IPsec. Is that downgrading security? I get that the binding
messages are the most important and will presumably continue on the
control plane but what else changes? Yes. PMIPv6 allows the use of
IPsec security (Tunnel Mode ESP) protection
"allows"? Do you happen to know if that's really used or not in
practice? (That's not a DISCUSS point, but I do wonder.)
Security for user-plane traffic protection is used in very few
deployments.
Ah.
Taking the Service Provider Wi-Fi deployment as an
example, there is 802.1x security on the air interface, and then
there is typical end to end application security (even a Google
search is HTTPS protected).  Now requiring security on the user plane
traffic between two points in the operator network (LMA and MAG) is
some what redundant, IMO. Use of IPsec for UP traffic protection is
optional per MIPv6/PMIPv6 specs.  I'd say banking type
applications/deployments requires such multi-layer security.
Hmm. I don't see that it makes any sense to assume IPsec is
done differently per-application. So I guess we ought assume
that IPsec isn't used for user traffic.
Is it really used for control plane traffic do you know?
But in a sense this spec is lowering the bar a little.
5213 requires implementation of IPsec on the node that
carries the UP traffic, even if it doesn't require its
use.
In this case, you're not even requiring implementation.
So if say, a MAG-UP were to talk to a LMA that is both
CP and UP, then the latter node would support IPsec for
UP, if so configured, but the MAG-UP might not even
implement IPsec.
Does that mean that you need to a a requirement here to
make IPsec MTI for the MAG-UP and LMA-UP, so that they
can interop with non-split MAGs and LMAs?
I'd assume that'd be easy enough and it'd clear up
that discuss point.
for the user-plane traffic. This is optional and is based on
standard IPsec security. It requires no special interaction between
IPsec and the Proxy Mobile IPv6 entities. In the split mode (LMA ==>
LMA-CP & LMA-DP),
What's LMA-DP? That's not mentioned in the draft? I assume you mean
what the draft calls LMA-UP? (I.e. DP = data plane being the same as
UP = user plane?)
Apologies for the terminology mix up. Yes. LMA-DP (Data Plane) should
be the LMA-UP (User Plane)
the MAG (or MAG-DP) and the LMA-DP can optionally enable IPsec
security on the user-plane traffic.
Hmm. So you're saying IPsec can be on for the control plane and off
for the user plane independently? Is that a good plan? I guess it'd
be a bad plan if it were the other way around?
I'd say this is the approach in use for today's integrated LMA
(LMA-UP + LMA-CP) based deployments. IPsec security is enabled for CP
traffic by default, as it is mandated by PMIPv6 specs. However, the
IPsec security for UP is a optional requirement and most deployments
don't enable IPsec for UP traffic protection.
MAG-DP establishes a layer-3 p2p tunnel to LMA-DP and both these
peers can be configured to apply IPsec security on the tunneled
traffic. So, there is no loss of functionality here and the CP/DP
split approach is not resulting in weakened security.
Well, it might if IPsec is on for one and off for the other.
Or, if say MAG-CP and MAG-UP are from different vendors, then I don't
know how they signal to one another to turn on/off IPsec if what we
want is for IPsec to be on for both or off for both.
I'd look at IPsec as a security policy between two peers. Use of
IPsec for CP messages between two CP nodes (Ex: MAP-CP and LMA-CP)
should not have any bearing on the use/non-use of IPsec security
between two UP nodes (Ex: MAG-UP and LMA-UP). The security policy on
the two UP nodes strictly determine the use/non-use of IPsec for
tunnel traffic protection. But, if the hint is that this policy
should be controlled by the respective CP entity, I'd say yes, but
that CP to UP interface is out of scope for this work. The
controller/CP entity may have a provisioning interface to the UP
nodes and that interface may dictate this aspect, but has not
implication on this draft.
(2) How does the rest of the Internet know to use the LMA-UP for the
MN and not the LMA-CP? Sorry for being dense but I don't see how
packets from a random Internet node for the MN end up going down the
user plane. The IP address of the mobile node is topologically
anchored on the LMA-DP.
You mean LMA-UP there right?
Yes. Sorry for the terminology mix-up.
>From the point of view of Routing, the LMA-DP owns that larger IP
prefix
block from which it allocates to IP prefixes/address to individual
mobility sessions. The LMA-DP is in the path for the user-plane
traffic and is the entry point into the mobile network.  However, the
LMA-CP is only terminating the control signaling from the MAG and is
not in the path for the user-plane traffic.
Is that written down somewhere? If say the LMA-UP and LMA-CP had
utterly different addresses then it couldn't work could it?
This was captured in Section 5.6.2 for IPv6
http://tools.ietf.org/html/rfc5213#page-38
Section 3.1.3 for IPv4 http://tools.ietf.org/html/rfc5844#page-15
When we separate the functionality, the user plane (or the IP
address/prefixes allocated to the MN) must be anchored on the LMA-UP.
I think we missed capturing this in the spec. Thanks for pointing
this out.
OLD:
The LMA Control Plane and the LMA User Plane functions are typically
deployed on the same IP node and in such scenario the interface
between these functions is internal to the implementation.
Deployments may also choose to deploy the LMA Control Plane and the
LMA User Plane functions on seperate IP nodes. In such deployment
models, there needs to be a protocol interface between these two
functions and which is outside the scope of this document. Possible
options for such interface include OpenFlow [OpenFlow-Spec-v1.4.0
<http://tools.ietf.org/html/draft-ietf-netext-pmip-cp-up-separation-06#ref-OpenFlow-Spec-v1.4.0>],
FORCES [RFC5810 <http://tools.ietf.org/html/rfc5810>], use of routing
infrastructure
[I-D.matsushima-stateless-uplane-vepc
<http://tools.ietf.org/html/draft-ietf-netext-pmip-cp-up-separation-06#ref-I-D.matsushima-stateless-uplane-vepc>]
or vendor specific approaches. This specification does not mandate a
specific protocol interface and views this interface as a generic
interface relevant more broadly for many other protocol systems in
addition to Proxy Mobile IPv6.
NEW:
The LMA Control Plane and the LMA User Plane functions are typically
deployed on the same IP node and in such scenario the interface
between these functions is internal to the implementation.
Deployments may also choose to deploy the LMA Control Plane and the
LMA User Plane functions on seperate IP nodes. In such deployment
models, there needs to be a protocol interface between these two
functions and which is outside the scope of this document. Possible
options for such interface include OpenFlow [OpenFlow-Spec-v1.4.0
<http://tools.ietf.org/html/draft-ietf-netext-pmip-cp-up-separation-06#ref-OpenFlow-Spec-v1.4.0>],
FORCES [RFC5810 <http://tools.ietf.org/html/rfc5810>], use of routing
infrastructure
[I-D.matsushima-stateless-uplane-vepc
<http://tools.ietf.org/html/draft-ietf-netext-pmip-cp-up-separation-06#ref-I-D.matsushima-stateless-uplane-vepc>]
or vendor specific approaches. This specification does not mandate a
specific protocol interface and views this interface as a generic
interface relevant more broadly for many other protocol systems in
addition to Proxy Mobile IPv6. When the LMA Control Plane and the LMA
User Plane functions are deployed on separate IP nodes, the
requirement related to user-plane address anchoring specified in
Section 5.6.2 [RFC-5213] and Section 3.1.3 [RFC5844] must be met by
the  node hosting the LMA user plane functionality. The LMA user
plane node must be topological anchor point for the IP
address/prefixes allocated to the mobile node.
I'm not quite sure if that does sort out the issue or not,
but I'm willing to believe you and Brian if you're telling
me it does.
So with that OLD/NEW and adding IPsec as MTI for the
*-UP nodes, I think we'd be done.
Cheers,
S.
----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------
Did you need to say somewhere which PMIPv6 messages are to be sent in
the control plane and which in the user plane? That might be obvious
to some, but its not to me and I guess there are a bunch of PMIPv6
extensions so I could imagine that someone somewhere might get it
wrong.
The signaling messages {IPv6 with Mobility Header, or IPv4 UDP Port
5436) traffic is exchanged between MAG-CP and LMA-CP. There is no
implication on the use/non-use of other mobility options.
Sure. My question is: where is it written down which are signalling
messages and which are not?
PMIPv6 Signaling messages (aka control plane messages) are PBU/PBA,
BRI/BRA and UPN/UPA messages. The formats for these messages are
specified in RFC 5213, 5844, 5846, 5847, 7077.
Ex: http://tools.ietf.org/html/rfc5213#page-69
http://tools.ietf.org/html/rfc6275#page-42
The identification of any of these CP messages is the use of the
following selector.
1. Any IPv4-UDP packets with UDP port 5436 2. Any IPv6 packets with
Mobility Header messages
Existing specs clearly explain this and I think its sufficiently
clear for the implementors on what traffic goes to LMA-CP and what
goes to the LMA-UP.
Regards Sri
Ta, S.
The tunneled traffic with L3 encapsulation is between MAG-DP and
LMA-DP. Regards Sri
_______________________________________________ netext mailing list
netext@ietf.org<mailto:netext@ietf.org><mailto:netext@ietf.org><mailto:netext@ietf.org>
https://www.ietf.org/mailman/listinfo/netext

v2.23.0 | Report a Bug | By Email