RE: [netlmm] Issue: Auth Option support
"Ahmad Muhanna" <amuhanna@nortel.com> Mon, 10 September 2007 12:56 UTC
Return-path: <netlmm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IUiok-0003Gg-N9; Mon, 10 Sep 2007 08:56:42 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IUioj-0003Ga-I7 for netlmm@ietf.org; Mon, 10 Sep 2007 08:56:41 -0400
Received: from zrtps0kp.nortel.com ([47.140.192.56]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1IUioi-000534-Ui for netlmm@ietf.org; Mon, 10 Sep 2007 08:56:41 -0400
Received: from zrc2hxm2.corp.nortel.com (zrc2hxm2.corp.nortel.com [47.103.123.73]) by zrtps0kp.nortel.com (Switch-2.2.6/Switch-2.2.0) with ESMTP id l8ACuXr15555; Mon, 10 Sep 2007 12:56:33 GMT
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [netlmm] Issue: Auth Option support
Date: Mon, 10 Sep 2007 07:56:31 -0500
Message-ID: <6FC4416DDE56C44DA0AEE67BC7CA4371169E8C2C@zrc2hxm2.corp.nortel.com>
In-Reply-To: <C24CB51D5AA800449982D9BCB90325139539A8@NAEX13.na.qualcomm.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [netlmm] Issue: Auth Option support
Thread-Index: AcfxSsGFlDvDz/RAQJWYV4inKIWpywAJhYcQAATTUOAAiU6I0A==
References: <Pine.GSO.4.63.0708070000100.13701@irp-view13.cisco.com><0MKp8S-1IIKcu1WNe-0005rE@mrelay.perfora.net><01e801c7f0c1$80e341c0$d4f6200a@amer.cisco.com><200709071429.19318.julien.IETF@laposte.net> <010801c7f171$f3997f30$d4f6200a@amer.cisco.com> <C24CB51D5AA800449982D9BCB90325139539A8@NAEX13.na.qualcomm.com>
From: Ahmad Muhanna <amuhanna@nortel.com>
To: "Narayanan, Vidya" <vidyan@qualcomm.com>, Sri Gundavelli <sgundave@cisco.com>, Julien Laganier <julien.IETF@laposte.net>, netlmm@ietf.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 22bbb45ef41b733eb2d03ee71ece8243
Cc:
X-BeenThere: netlmm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: NETLMM working group discussion list <netlmm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/netlmm>, <mailto:netlmm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/netlmm>
List-Post: <mailto:netlmm@ietf.org>
List-Help: <mailto:netlmm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/netlmm>, <mailto:netlmm-request@ietf.org?subject=subscribe>
Errors-To: netlmm-bounces@ietf.org
Hope this is never too late. My understanding is that for any implementation to claim compliancy to any RFC, that implementation MUST implement all "MUST" and "SHOULD". Having said that, I am not sure why we need this distinction of "MUST implement IPsec" and "SHOULD use IPsec", that is exactly the meaning of "SHOULD use IPsec". Regards, Ahmad > -----Original Message----- > From: Narayanan, Vidya [mailto:vidyan@qualcomm.com] > Sent: Friday, September 07, 2007 2:27 PM > To: Sri Gundavelli; Julien Laganier; netlmm@ietf.org > Subject: RE: [netlmm] Issue: Auth Option support > > All, > On this topic, I believe we must have a mandatory to > implement mechanism specified for standards track > publication. We can leave the use at "RECOMMENDED" or > "SHOULD", but, we need a "MUST" on what the LMA and MAG need > to implement. > > I had run this by the security directorate at the Chicago > meeting and my understanding is that as long as we have "MUST > implement IPsec" and "SHOULD use IPsec", it would be fine. > > In other words, the SHOULD vs. MUST that we want to place on > using IPsec can be discussed, but, the "MUST" on > implementation is non-negotiable. > > This is inline with my understanding on what we need to state > for a complete specification. Given that channel security of > signaling messages is mandatory, unless we have at least one > common denominator that the MAG and LMA implementors will > implement, we cannot ensure interoperability. If they > support multiple common mechanisms and chose to use something > other than IPsec, that's fine - hence, the "SHOULD" on usage. > > Hope that helps. > > Thanks, > Vidya > > > -----Original Message----- > > From: Sri Gundavelli [mailto:sgundave@cisco.com] > > Sent: Friday, September 07, 2007 10:10 AM > > To: 'Julien Laganier'; netlmm@ietf.org > > Subject: RE: [netlmm] Issue: Auth Option support > > > > Hi Julien, > > > > > > > > > -----Original Message----- > > > From: julien laganier [mailto:julien.laganier@gmail.com] On > > Behalf Of > > > Julien Laganier > > > Sent: Friday, September 07, 2007 5:29 AM > > > To: netlmm@ietf.org > > > Cc: Sri Gundavelli; 'Alper Yegin' > > > Subject: Re: [netlmm] Issue: Auth Option support > > > > > > Hi Sri, > > > > > > On Thursday 06 September 2007, Sri Gundavelli wrote: > > > > I'm confused, should the draft say > > > > > > > > "Both LMA and MAG MUST implement IPsec" and "all the signaling > > > > messages SHOULD be protected using IPSec". > > > > > > > > Will this ok, when reviewed by the security folks ? > > > > > > > > or mandate IPsec for this specification and let other > draft relax > > > > this in the presence of an alternative approach ? > > > > > > > > Please comment. > > > > > > Somehow, "MUST implement" and "SHOULD use" together seems a bit > > > tautologic. > > > > > > To me "SHOULD use" is sufficient since it covers both of the two > > > possibles cases: > > > > > > - deployment follows the SHOULD recommendation, it uses IPsec to > > > protect PMIPv6, in which case it supports it, since it's > > using it :), > > > or > > > > > > - deployment ignores the SHOULD recommendation, does not > > uses IPSec, > > > in which case it is useless to implement it since it's not used... > > > > > > I'd prefer having "MUST protect integrity of signalling > > messages, and > > > SHOULD use IPsec ESP to protect integrity of those messages". > > > We might > > > also add "MAY use IPsec AH". > > > > > > > > > I agree. I'm not against allowing other approaches. I'm only > > concerned, if we can leave the draft saying, "MUST protect > integrity > > of signalling messages", with out specifying IPsec or some other > > approach. If that will pass the security review. We may > have to state > > that IPsec MUST be used or some other approach, say > Auth-Option MUST > > be used. Not sure, if we can leave this blank. > > > > Sri > > > > > > _______________________________________________ > > netlmm mailing list > > netlmm@ietf.org > > https://www1.ietf.org/mailman/listinfo/netlmm > > > > _______________________________________________ > netlmm mailing list > netlmm@ietf.org > https://www1.ietf.org/mailman/listinfo/netlmm > _______________________________________________ netlmm mailing list netlmm@ietf.org https://www1.ietf.org/mailman/listinfo/netlmm
- [netlmm] (no subject) LAI, SHOU WEN -HCHBJ
- RE: [netlmm] Issue: Auth Option support Alper Yegin
- RE: [netlmm] Issue: Auth Option support Sri Gundavelli
- [netlmm] (no subject) Christian Vogt
- [netlmm] Re: your mail Sri Gundavelli
- [netlmm] Issue: Auth Option support Sri Gundavelli
- RE: [netlmm] Issue: Auth Option support Alper Yegin
- Re: [netlmm] Issue: Auth Option support Christian Vogt
- Re: [netlmm] Issue: Auth Option support Vijay Devarapalli
- RE: [netlmm] Issue: Auth Option support Chowdhury, Kuntal
- RE: [netlmm] Issue: Auth Option support Sri Gundavelli
- Re: [netlmm] Issue: Auth Option support Alexandru Petrescu
- RE: [netlmm] Issue: Auth Option support Alper Yegin
- Re: [netlmm] Issue: Auth Option support Alexandru Petrescu
- Re: [netlmm] Issue: Auth Option support Julien Laganier
- Re: [netlmm] Issue: Auth Option support Alexandru Petrescu
- Re: [netlmm] Issue: Auth Option support Julien Laganier
- Re: [netlmm] Issue: Auth Option support Alexandru Petrescu
- RE: [netlmm] Issue: Auth Option support Sri Gundavelli
- RE: [netlmm] Issue: Auth Option support Narayanan, Vidya
- Re: [netlmm] Issue: Auth Option support Basavaraj Patil
- RE: [netlmm] Issue: Auth Option support Sri Gundavelli
- Re: [netlmm] Issue: Auth Option support Basavaraj Patil
- Re: [netlmm] Issue: Auth Option support Vijay Devarapalli
- RE: [netlmm] Issue: Auth Option support Sri Gundavelli
- RE: [netlmm] Issue: Auth Option support Alper Yegin
- Re: [netlmm] Issue: Auth Option support Julien Laganier
- RE: [netlmm] Issue: Auth Option support Ahmad Muhanna
- RE: [netlmm] Issue: Auth Option support Ahmad Muhanna
- Re: [netlmm] Issue: Auth Option support Vijay Devarapalli
- Re: [netlmm] Issue: Auth Option support Vijay Devarapalli
- Re: [netlmm] Issue: Auth Option support Vijay Devarapalli
- RE: [netlmm] Issue: Auth Option support DE JUAN HUARTE FEDERICO
- RE: [netlmm] Issue: Auth Option support Ahmad Muhanna
- RE: [netlmm] Issue: Auth Option support Alper Yegin
- RE: [netlmm] Issue: Auth Option support Alper Yegin
- Re: [netlmm] Issue: Auth Option support Vijay Devarapalli
- [netlmm] Question on security model DE JUAN HUARTE FEDERICO
- RE: [netlmm] Question on security model Sri Gundavelli
- [netlmm] RE: Question on security model Ahmad Muhanna
- Re: [netlmm] Question on security model Julien Laganier
- RE: [netlmm] Question on security model Alper Yegin
- [netlmm] (no subject) Lynoh MaGee