IETF Logo Mail Archive

RE: [netlmm] Issue: Auth Option support

"Sri Gundavelli" <sgundave@cisco.com> Fri, 07 September 2007 17:10 UTC

Return-path: <netlmm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IThLX-00026O-Iy; Fri, 07 Sep 2007 13:10:19 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IThLW-00026I-FO for netlmm@ietf.org; Fri, 07 Sep 2007 13:10:18 -0400
Received: from sj-iport-6.cisco.com ([171.71.176.117]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1IThLW-0002P8-1H for netlmm@ietf.org; Fri, 07 Sep 2007 13:10:18 -0400
X-IronPort-AV: E=Sophos;i="4.20,221,1186383600"; d="scan'208";a="214054691"
Received: from sj-dkim-4.cisco.com ([171.71.179.196]) by sj-iport-6.cisco.com with ESMTP; 07 Sep 2007 10:10:17 -0700
Received: from sj-core-2.cisco.com (sj-core-2.cisco.com [171.71.177.254]) by sj-dkim-4.cisco.com (8.12.11/8.12.11) with ESMTP id l87HAHhO021562; Fri, 7 Sep 2007 10:10:17 -0700
Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-2.cisco.com (8.12.10/8.12.6) with ESMTP id l87HACxJ018774; Fri, 7 Sep 2007 17:10:13 GMT
Received: from xfe-sjc-211.amer.cisco.com ([171.70.151.174]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Fri, 7 Sep 2007 10:10:12 -0700
Received: from sgundavewxp ([10.32.246.212]) by xfe-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Fri, 7 Sep 2007 10:10:12 -0700
From: Sri Gundavelli <sgundave@cisco.com>
To: 'Julien Laganier' <julien.IETF@laposte.net>, netlmm@ietf.org
References: <Pine.GSO.4.63.0708070000100.13701@irp-view13.cisco.com> <0MKp8S-1IIKcu1WNe-0005rE@mrelay.perfora.net> <01e801c7f0c1$80e341c0$d4f6200a@amer.cisco.com> <200709071429.19318.julien.IETF@laposte.net>
Subject: RE: [netlmm] Issue: Auth Option support
Date: Fri, 07 Sep 2007 10:10:12 -0700
Message-ID: <010801c7f171$f3997f30$d4f6200a@amer.cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
In-Reply-To: <200709071429.19318.julien.IETF@laposte.net>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
Thread-Index: AcfxSsGFlDvDz/RAQJWYV4inKIWpywAJhYcQ
X-OriginalArrivalTime: 07 Sep 2007 17:10:12.0521 (UTC) FILETIME=[F3ADF190:01C7F171]
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=1829; t=1189185017; x=1190049017; c=relaxed/simple; s=sjdkim4002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=sgundave@cisco.com; z=From:=20=22Sri=20Gundavelli=22=20<sgundave@cisco.com> |Subject:=20RE=3A=20[netlmm]=20Issue=3A=20Auth=20Option=20support |Sender:=20; bh=akkPfBNQUlSpiWysBHkeTV56QSM6+ueDqUnWthfIj7Y=; b=EA9dzWdgmcX3/16E5qhvBxQ1bsHbt562imlpAMnySOl1MXz62LLQE6pfAD/Ts4BaLQIdbxUa PjqzfSQa4oC9is/W2ZeIKSbR3nZpd7VrwaeMkCPmxUPU+8erZ4PbDPwA;
Authentication-Results: sj-dkim-4; header.From=sgundave@cisco.com; dkim=pass ( sig from cisco.com/sjdkim4002 verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 5a9a1bd6c2d06a21d748b7d0070ddcb8
Cc:
X-BeenThere: netlmm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: NETLMM working group discussion list <netlmm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/netlmm>, <mailto:netlmm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/netlmm>
List-Post: <mailto:netlmm@ietf.org>
List-Help: <mailto:netlmm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/netlmm>, <mailto:netlmm-request@ietf.org?subject=subscribe>
Errors-To: netlmm-bounces@ietf.org

Hi Julien,

 

> -----Original Message-----
> From: julien laganier [mailto:julien.laganier@gmail.com] On 
> Behalf Of Julien Laganier
> Sent: Friday, September 07, 2007 5:29 AM
> To: netlmm@ietf.org
> Cc: Sri Gundavelli; 'Alper Yegin'
> Subject: Re: [netlmm] Issue: Auth Option support
> 
> Hi Sri,
> 
> On Thursday 06 September 2007, Sri Gundavelli wrote:
> > I'm confused, should the draft say
> >
> > "Both LMA and MAG MUST implement IPsec" and
> > "all the signaling messages SHOULD be protected using IPSec".
> >
> > Will this ok, when reviewed by the security folks ?
> >
> > or mandate IPsec for this specification and let other draft
> > relax this in the presence of an alternative approach ?
> >
> > Please comment.
> 
> Somehow, "MUST implement" and "SHOULD use" together seems a bit 
> tautologic. 
> 
> To me "SHOULD use" is sufficient since it covers both of the two 
> possibles cases:
> 
> - deployment follows the SHOULD recommendation, it uses IPsec 
> to protect 
> PMIPv6, in which case it supports it, since it's using it :), or
> 
> - deployment ignores the SHOULD recommendation, does not uses 
> IPSec, in 
> which case it is useless to implement it since it's not used...
> 
> I'd prefer having "MUST protect integrity of signalling messages, and 
> SHOULD use IPsec ESP to protect integrity of those messages". 
> We might 
> also add "MAY use IPsec AH".
> 


I agree. I'm not against allowing other approaches. I'm only concerned,
if we can leave the draft saying, "MUST protect integrity of signalling
messages", with out specifying IPsec or some other approach. If that
will pass the security review. We may have to state that IPsec MUST be
used or some other approach, say Auth-Option MUST be used. Not sure, if
we can leave this blank.

Sri


_______________________________________________
netlmm mailing list
netlmm@ietf.org
https://www1.ietf.org/mailman/listinfo/netlmm

v2.23.0 | Report a Bug | By Email