Re: [netlmm] Issue: Auth Option support

To ensure there is interoperability between multiple implementations, there
needs to be a default security mechanism and that would be IPsec. What
specific method is used in a certain deployment is not mandated by the spec.

So I think we can just leave it as a MUST for IPsec as the default security
solution without saying MUST use.

-Raj

On 9/7/07 4:42 PM, "ext Sri Gundavelli" <sgundave@cisco.com> wrote:

> Raj,
> 
> This is my view as well. Now, this will conflict with
> "MUST implement and SHOULD use of IPsec". To be consistent,
> it has to be "MUST implement and MUST use". Then Alper wont
> like this...
> 
> 
> Sri
>  
> 
>> -----Original Message-----
>> From: Basavaraj Patil [mailto:basavaraj.patil@nsn.com]
>> Sent: Friday, September 07, 2007 2:12 PM
>> To: Sri Gundavelli; 'Julien Laganier'; netlmm@ietf.org
>> Subject: Re: [netlmm] Issue: Auth Option support
>> 
>> 
>> Hi Sri,
>> 
>> I do believe we need to specify a default security mechanism
>> for the MAG/LMA
>> signaling messages. And for this purpose, IPsec is a good choice.
>> So IMO it is required that we state "Proxy MIP6 signaling
>> messages between
>> the MAG and LMA MUST be secured by the use of an IPsec SA
>> between the two
>> entities".
>> 
>> I think this does not limit the ability to adopt alternative security
>> solutions in the future.
>> 
>> -Raj
>> 
>> 
>> On 9/7/07 12:10 PM, "ext Sri Gundavelli" <sgundave@cisco.com> wrote:
>> 
>>> Hi Julien,
>>> 
>>>  
>>> 
>>>> -----Original Message-----
>>>> From: julien laganier [mailto:julien.laganier@gmail.com] On
>>>> Behalf Of Julien Laganier
>>>> Sent: Friday, September 07, 2007 5:29 AM
>>>> To: netlmm@ietf.org
>>>> Cc: Sri Gundavelli; 'Alper Yegin'
>>>> Subject: Re: [netlmm] Issue: Auth Option support
>>>> 
>>>> Hi Sri,
>>>> 
>>>> On Thursday 06 September 2007, Sri Gundavelli wrote:
>>>>> I'm confused, should the draft say
>>>>> 
>>>>> "Both LMA and MAG MUST implement IPsec" and
>>>>> "all the signaling messages SHOULD be protected using IPSec".
>>>>> 
>>>>> Will this ok, when reviewed by the security folks ?
>>>>> 
>>>>> or mandate IPsec for this specification and let other draft
>>>>> relax this in the presence of an alternative approach ?
>>>>> 
>>>>> Please comment.
>>>> 
>>>> Somehow, "MUST implement" and "SHOULD use" together seems a bit
>>>> tautologic. 
>>>> 
>>>> To me "SHOULD use" is sufficient since it covers both of the two
>>>> possibles cases:
>>>> 
>>>> - deployment follows the SHOULD recommendation, it uses IPsec
>>>> to protect 
>>>> PMIPv6, in which case it supports it, since it's using it :), or
>>>> 
>>>> - deployment ignores the SHOULD recommendation, does not uses
>>>> IPSec, in 
>>>> which case it is useless to implement it since it's not used...
>>>> 
>>>> I'd prefer having "MUST protect integrity of signalling
>> messages, and
>>>> SHOULD use IPsec ESP to protect integrity of those messages".
>>>> We might 
>>>> also add "MAY use IPsec AH".
>>>> 
>>> 
>>> 
>>> I agree. I'm not against allowing other approaches. I'm
>> only concerned,
>>> if we can leave the draft saying, "MUST protect integrity
>> of signalling
>>> messages", with out specifying IPsec or some other approach. If that
>>> will pass the security review. We may have to state that
>> IPsec MUST be
>>> used or some other approach, say Auth-Option MUST be used.
>> Not sure, if
>>> we can leave this blank.
>>> 
>>> Sri
>>> 
>>> 
>>> _______________________________________________
>>> netlmm mailing list
>>> netlmm@ietf.org
>>> https://www1.ietf.org/mailman/listinfo/netlmm

_______________________________________________
netlmm mailing list
netlmm@ietf.org
https://www1.ietf.org/mailman/listinfo/netlmm