Re: [netext] Stephen Farrell's Discuss on draft-ietf-netext-pmip-cp-up-separation-05: (with DISCUSS and COMMENT)
"Sri Gundavelli (sgundave)" <sgundave@cisco.com> Thu, 28 August 2014 14:32 UTC
Return-Path: <sgundave@cisco.com>
X-Original-To: netext@ietfa.amsl.com
Delivered-To: netext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 305671A06C5; Thu, 28 Aug 2014 07:32:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.169
X-Spam-Level:
X-Spam-Status: No, score=-15.169 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 01W6gz0NhBmz; Thu, 28 Aug 2014 07:32:12 -0700 (PDT)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6702D1A055D; Thu, 28 Aug 2014 07:32:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2839; q=dns/txt; s=iport; t=1409236332; x=1410445932; h=from:to:cc:subject:date:message-id:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=9Tlt5NjEP2ckX/n+nlolJ6pTsB/QYHY0QMKlBj8PQ80=; b=TkBwcofdGceOAwcd/pVUHpKwf6HunAcAZ3iLsI774oPCPFFi6b4rUUWA 98DpickgYlYYjkR8+cWvRHqY9wdzZQJQ3pqUzlT3VFMe0HV1N/TTF0Sg6 2+c/+D5mopnw17lQ5DWYomefTSe9G5zepw8xUdhwt00QHLVcnCApSuQpQ 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgoFABE8/1OtJA2N/2dsb2JhbABbgw2BKgTTdgGBGRZ3hAQBAQMBOj8FDQEIEiQFPRcOAgQBDQWIOgi/QheMHYMvB4RMAQSRL4srjBiJBYIYgUZsgUiBBwEBAQ
X-IronPort-AV: E=Sophos;i="5.04,418,1406592000"; d="scan'208";a="73140156"
Received: from alln-core-8.cisco.com ([173.36.13.141]) by alln-iport-8.cisco.com with ESMTP; 28 Aug 2014 14:32:11 +0000
Received: from xhc-rcd-x12.cisco.com (xhc-rcd-x12.cisco.com [173.37.183.86]) by alln-core-8.cisco.com (8.14.5/8.14.5) with ESMTP id s7SEWBsV020921 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 28 Aug 2014 14:32:11 GMT
Received: from xmb-aln-x03.cisco.com ([169.254.6.223]) by xhc-rcd-x12.cisco.com ([173.37.183.86]) with mapi id 14.03.0195.001; Thu, 28 Aug 2014 09:32:11 -0500
From: "Sri Gundavelli (sgundave)" <sgundave@cisco.com>
To: Brian Haberman <brian@innovationslab.net>, Charlie Perkins <charles.perkins@earthlink.net>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, The IESG <iesg@ietf.org>
Thread-Topic: [netext] Stephen Farrell's Discuss on draft-ietf-netext-pmip-cp-up-separation-05: (with DISCUSS and COMMENT)
Thread-Index: AQHPwszZxeWgT3fAO0GWwqdK0/n2nw==
Date: Thu, 28 Aug 2014 14:32:10 +0000
Message-ID: <D0248894.15C0C7%sgundave@cisco.com>
In-Reply-To: <53FF1A6C.5060602@innovationslab.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.2.3.120616
x-originating-ip: [10.32.246.213]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <636C161FBE00494891AF64C49DC517B7@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/netext/j0oyzOkZS7IVoliXcPHoosrGK5s
Cc: "netext@ietf.org" <netext@ietf.org>, "netext-chairs@tools.ietf.org" <netext-chairs@tools.ietf.org>, "draft-ietf-netext-pmip-cp-up-separation@tools.ietf.org" <draft-ietf-netext-pmip-cp-up-separation@tools.ietf.org>
Subject: Re: [netext] Stephen Farrell's Discuss on draft-ietf-netext-pmip-cp-up-separation-05: (with DISCUSS and COMMENT)
X-BeenThere: netext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Mailing list for discusion of extensions to network mobility protocol, i.e PMIP6. " <netext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netext>, <mailto:netext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netext/>
List-Post: <mailto:netext@ietf.org>
List-Help: <mailto:netext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netext>, <mailto:netext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Aug 2014 14:32:14 -0000
Thanks Stephen. We will go with that text then. On 8/28/14 5:02 AM, "Brian Haberman" <brian@innovationslab.net> wrote: > If WG members disagree >with the proposed changes, they are free to raise that disagreement. If >the resulting changes are substantive, I will ask the chairs to review >those changes with the WG prior to any publication approval. The proposed text on IPsec is inline with the base spec. We kept the following original agreements. 1.) Protection for PMIPv6 signaling messages with end-to-end security association(s) offering integrity and data origin authentication. 2.) IPsec is a mandatory to implement on CP nodes 3.) IPsec is mandatory to implement on UP nodes 4.) Use of IPsec for user plane traffic protection is optional 5.) New specifications can be define alternative security mechanisms for protecting signaling messages This is inline with the text in RFC-5213. My comment was on #3, where the implementation of IPsec was mandated indirectly by having a requirement for CP traffic protection. Nothing substantial. Explicit statements on the protocol security for the split CP/DP architecture. Working Group: Any comments on the below text, please speak up. NEW: The Proxy Mobile IPv6 specification [RFC5213] requires the signaling messages between the MAG and the LMA to be protected using end-to-end security association(s) offering integrity and data origin authentication. The base specification also requires IPsec a mandatory-to-implement security mechanism. In deployments where the Control and User Plane functions on the MAG and LMA are separated and hosted on different IP nodes, the nodes hosting those respective Control Plane functions have to still meet the above the security requirement. The Proxy Mobile IPv6 signaling messages exchanged between these entities MUST be protected using end-to-end security association(s) offering integrity and data origin authentication. Furthermore, IPsec is a mandatory-to-implement security mechanism for the nodes hosting the Control Plane function of the MAG and LMA. Additional documents may specify alternative mechanisms and the mobility entities can enable a specific mechanism for securing Proxy Mobile IPv6 signaling messages, based on either a static configuration or after a dynamic negotiation using any standard security negotiation protocols. As per the Proxy Mobile IPv6 specification, the use of IPsec for protecting the mobile node's user plane traffic is optional. This specification extends the same requirement and therefore requires the nodes hosting the User Plane functions of the MAG and the LMA to have IPsec as a mandatory-to-implement security mechanism, but make the use of IPsec as optional for User Plane traffic protection. Regards Sri
- [netext] Stephen Farrell's Discuss on draft-ietf-… Stephen Farrell
- Re: [netext] Stephen Farrell's Discuss on draft-i… Sri Gundavelli (sgundave)
- Re: [netext] Stephen Farrell's Discuss on draft-i… Stephen Farrell
- Re: [netext] Stephen Farrell's Discuss on draft-i… Sri Gundavelli (sgundave)
- Re: [netext] Stephen Farrell's Discuss on draft-i… Stephen Farrell
- Re: [netext] Stephen Farrell's Discuss on draft-i… Sri Gundavelli (sgundave)
- Re: [netext] Stephen Farrell's Discuss on draft-i… Stephen Farrell
- Re: [netext] Stephen Farrell's Discuss on draft-i… Sri Gundavelli (sgundave)
- Re: [netext] Stephen Farrell's Discuss on draft-i… Stephen Farrell
- Re: [netext] Stephen Farrell's Discuss on draft-i… Brian Haberman
- Re: [netext] Stephen Farrell's Discuss on draft-i… Sri Gundavelli (sgundave)