Re: [netext] Security question on anycast mode of draft-ietf-netext-redirect-01
jouni korhonen <jouni.nospam@gmail.com> Fri, 30 April 2010 04:28 UTC
Return-Path: <jouni.nospam@gmail.com>
X-Original-To: netext@core3.amsl.com
Delivered-To: netext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B14393A69FD for <netext@core3.amsl.com>; Thu, 29 Apr 2010 21:28:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GMtkPEz65I68 for <netext@core3.amsl.com>; Thu, 29 Apr 2010 21:28:28 -0700 (PDT)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by core3.amsl.com (Postfix) with ESMTP id 89C7D3A680A for <netext@ietf.org>; Thu, 29 Apr 2010 21:28:28 -0700 (PDT)
Received: by fxm4 with SMTP id 4so1668625fxm.31 for <netext@ietf.org>; Thu, 29 Apr 2010 21:28:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:mime-version :content-type:from:in-reply-to:date:cc:content-transfer-encoding :message-id:references:to:x-mailer; bh=0w4nlnlKDv2gB4qH7B03y64bo88zKAJywSJTAQb0+5c=; b=wysB600SQBGl+DzieDdCadOeeO5kXzeq3xoAgE9JQXR0kpG1B8u5FV2BZE8pL7+yq9 aJv4q9GOIlzhWEkvvuaFF56R8/y2kdozsBOre9boovDCcnAAo3U0eIhjGukAc6liuQKQ BfWRusuljZlLvGuiQorJ04uaVV3rk44OnKSkA=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; b=sEnJDN23MAcFAssLy3kdzTRJUXj/DWatpQn7cWKItyoo4EWHhvJfpVxmWIp7CN7RRm ehaSYiY9rK1uoWxUeSuNXw2Frp+lZbpE2JcwftEfEFoiF7/agL5FfO/61zD4+TS+VPoW fWsJBugsi+zaUfcdm0y+HxpGM1X18dc7pCuuw=
Received: by 10.103.80.8 with SMTP id h8mr797965mul.90.1272601694612; Thu, 29 Apr 2010 21:28:14 -0700 (PDT)
Received: from 84-231-87-54.elisa-mobile.fi (84-231-87-54.elisa-mobile.fi [84.231.87.54]) by mx.google.com with ESMTPS id y6sm7162358mug.20.2010.04.29.21.28.10 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 29 Apr 2010 21:28:13 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1078)
Content-Type: text/plain; charset="us-ascii"
From: jouni korhonen <jouni.nospam@gmail.com>
In-Reply-To: <BF345F63074F8040B58C00A186FCA57F1EFEFD75E3@NALASEXMB04.na.qualcomm.com>
Date: Fri, 30 Apr 2010 07:25:57 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <5AC33004-D54F-43B6-AB74-F901BA7C6AF2@gmail.com>
References: <BF345F63074F8040B58C00A186FCA57F1EFEFD75E3@NALASEXMB04.na.qualcomm.com>
To: "Laganier, Julien" <julienl@qualcomm.com>
X-Mailer: Apple Mail (2.1078)
Cc: "netext@ietf.org" <netext@ietf.org>, "draft-ietf-netext-redirect@tools.ietf.org" <draft-ietf-netext-redirect@tools.ietf.org>
Subject: Re: [netext] Security question on anycast mode of draft-ietf-netext-redirect-01
X-BeenThere: netext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "Mailing list for discusion of extensions to network mobility protocol, i.e PMIP6. " <netext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/netext>, <mailto:netext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netext>
List-Post: <mailto:netext@ietf.org>
List-Help: <mailto:netext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netext>, <mailto:netext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Apr 2010 04:28:29 -0000
Hi Julien, On Apr 29, 2010, at 2:15 AM, Laganier, Julien wrote: > Hello, > > I have a security question on the anycast mode described in Section 1 of the draft: > > o Support for IPv6 anycast addressing [RFC4291]: the current PMIPv6 > specification does not specify how the PMIPv6 protocol should > treat anycast addresses assigned to mobility agents. Although > [RFC4291] now allows using anycast addresses as source addresses, > it does not make much sense using anycast addresses for the MAG to > the LMA communication after the initial PBU/PBA exchange. For > example, a blade architecture LMA may appear to the routing system > as multiple LMAs with separate unicast IP addresses and with one > or more "grouping" anycast addresses. > > I understand from the above that a group of LMA would be addressed with a common anycast address, and the first PBU would be sent to this anycast address, and redirection would follow to one of the unicast addresses of a specific LMA. Subsequent PBUs would be sent to a unicast address of a specific LMA. > > If that is correct, I am wondering how will the SA between the MAG and the anycast LMA be looked up? In the same way as SAs for unicast addresses. If SAs are build for anycast addresses, you basically have to fall back to manual keying of SAs (i.e. multiple LMAs share the same keys etc) and in most cases give up with replay protection (unless LMAs are somehow able to share sequence number state). Other than those, there is no difference to SA configuration or usage compared to the unicast case. - Jouni > > --julien
- [netext] Security question on anycast mode of dra… Laganier, Julien
- Re: [netext] Security question on anycast mode of… jouni korhonen
- Re: [netext] Security question on anycast mode of… jouni korhonen
- Re: [netext] Security question on anycast mode of… Xiaoyan Jiang
- Re: [netext] Security question on anycast mode of… jouni korhonen
- Re: [netext] Security question on anycast mode of… Xiaoyan Jiang
- Re: [netext] Security question on anycast mode of… jouni korhonen
- Re: [netext] Security question on anycast mode of… jouni korhonen