Re: [netext] Security question on anycast mode of draft-ietf-netext-redirect-01
jouni korhonen <jouni.nospam@gmail.com> Thu, 28 July 2011 13:34 UTC
Return-Path: <jouni.nospam@gmail.com>
X-Original-To: netext@ietfa.amsl.com
Delivered-To: netext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3872121F8569 for <netext@ietfa.amsl.com>; Thu, 28 Jul 2011 06:34:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.025
X-Spam-Level:
X-Spam-Status: No, score=-2.025 tagged_above=-999 required=5 tests=[AWL=-1.574, BAYES_00=-2.599, DATE_IN_PAST_96_XX=1.69, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.457, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3kPYq4IEZV4R for <netext@ietfa.amsl.com>; Thu, 28 Jul 2011 06:34:13 -0700 (PDT)
Received: from mail-ww0-f44.google.com (mail-ww0-f44.google.com [74.125.82.44]) by ietfa.amsl.com (Postfix) with ESMTP id EE2A121F8C42 for <netext@ietf.org>; Thu, 28 Jul 2011 06:34:12 -0700 (PDT)
Received: by wwe5 with SMTP id 5so1647364wwe.13 for <netext@ietf.org>; Thu, 28 Jul 2011 06:34:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=subject:mime-version:content-type:x-apple-base-url :x-apple-mail-plain-text-draft:from:x-apple-mail-remote-attachments :in-reply-to:x-apple-windows-friendly:date:cc :content-transfer-encoding:message-id:references :x-uniform-type-identifier:to:x-mailer; bh=Nq1BxW5DQj4l2MfE4+1FTGtxY9p0JTw3ieoJ7K9MLdA=; b=CsSxaGocqYR+SeNsfhy7C0hmE2rICucCkzQ9dUxGB5V8/zgCFzCTxvnaAdSvJtYBzZ QxqikxsqR6d5Kffr7p8oU6mP68bnVeYA1GwsN6jcWYALu0DFkcSTBpXESGfZ7lsSvqGQ C0FrBqHFbFVL5vLwm878KpYvD4bEtdPvBqL/A=
Received: by 10.204.176.84 with SMTP id bd20mr354330bkb.403.1311860051995; Thu, 28 Jul 2011 06:34:11 -0700 (PDT)
Received: from [62.237.209.78] ([62.237.209.78]) by mx.google.com with ESMTPS id t19sm288066bku.7.2011.07.28.06.34.01 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 28 Jul 2011 06:34:09 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1078)
Content-Type: text/html; charset="us-ascii"
X-Apple-Base-Url: x-msg://254/
X-Apple-Mail-Plain-Text-Draft: yes
From: jouni korhonen <jouni.nospam@gmail.com>
X-Apple-Mail-Remote-Attachments: NO
In-Reply-To: <BF345F63074F8040B58C00A186FCA57F1EFEFD75E3@NALASEXMB04.na.qualcomm.com>
X-Apple-Windows-Friendly: 1
Content-Transfer-Encoding: quoted-printable
Message-Id: <C84C53A5-6A12-4AD0-A189-9BE3AD023519@gmail.com>
References: <BF345F63074F8040B58C00A186FCA57F1EFEFD75E3@NALASEXMB04.na.qualcomm.com>
X-Uniform-Type-Identifier: com.apple.mail-draft
To: "Laganier, Julien" <julienl@qualcomm.com>
X-Mailer: Apple Mail (2.1084)
Cc: "netext@ietf.org" <netext@ietf.org>, "draft-ietf-netext-redirect@tools.ietf.org" <draft-ietf-netext-redirect@tools.ietf.org>
Subject: Re: [netext] Security question on anycast mode of draft-ietf-netext-redirect-01
X-BeenThere: netext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Mailing list for discusion of extensions to network mobility protocol, i.e PMIP6. " <netext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netext>, <mailto:netext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netext>
List-Post: <mailto:netext@ietf.org>
List-Help: <mailto:netext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netext>, <mailto:netext-request@ietf.org?subject=subscribe>
Date: Thu, 28 Jul 2011 13:34:14 -0000
X-Original-Date: Fri, 30 Apr 2010 07:28:24 +0300
X-List-Received-Date: Thu, 28 Jul 2011 13:34:14 -0000
On Apr 29, 2010, at 2:15 AM, Laganier, Julien wrote:
Hello,
I have a security question on the anycast mode described in Section 1 of the draft:
o Support for IPv6 anycast addressing [RFC4291]: the current PMIPv6
specification does not specify how the PMIPv6 protocol should
treat anycast addresses assigned to mobility agents. Although
[RFC4291] now allows using anycast addresses as source addresses,
it does not make much sense using anycast addresses for the MAG to
the LMA communication after the initial PBU/PBA exchange. For
example, a blade architecture LMA may appear to the routing system
as multiple LMAs with separate unicast IP addresses and with one
or more "grouping" anycast addresses.
I understand from the above that a group of LMA would be addressed with a common anycast address, and the first PBU would be sent to this anycast address, and redirection would follow to one of the unicast addresses of a specific LMA.
Subsequent PBUs would be sent to a unicast address of a specific LMA.
If that is correct, I am wondering how will the SA between the MAG and the anycast LMA be looked up?
In the same way as SAs for unicast addresses. If SAs are build for anycast addresses, you basically have to fall back to manual keying of SAs (i.e. multiple LMAs share the same keys etc) and in most cases give up with replay protection (unless LMAs are somehow able to share sequence number state). Other than those, there is no difference to SA configuration or usage compared to the unicast case.
- Jouni
--julien
- [netext] Security question on anycast mode of dra… Laganier, Julien
- Re: [netext] Security question on anycast mode of… jouni korhonen
- Re: [netext] Security question on anycast mode of… jouni korhonen
- Re: [netext] Security question on anycast mode of… Xiaoyan Jiang
- Re: [netext] Security question on anycast mode of… jouni korhonen
- Re: [netext] Security question on anycast mode of… Xiaoyan Jiang
- Re: [netext] Security question on anycast mode of… jouni korhonen
- Re: [netext] Security question on anycast mode of… jouni korhonen