IETF Logo Mail Archive

RE: [netlmm] Issue: Auth Option support

"Sri Gundavelli" <sgundave@cisco.com> Mon, 10 September 2007 03:13 UTC

Return-path: <netlmm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IUZiR-0004q5-Hc; Sun, 09 Sep 2007 23:13:35 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IUZiP-0004Z9-IH for netlmm@ietf.org; Sun, 09 Sep 2007 23:13:33 -0400
Received: from sj-iport-5.cisco.com ([171.68.10.87]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IUZiO-0006jo-4G for netlmm@ietf.org; Sun, 09 Sep 2007 23:13:33 -0400
X-IronPort-AV: E=Sophos;i="4.20,228,1186383600"; d="scan'208";a="175168631"
Received: from sj-dkim-2.cisco.com ([171.71.179.186]) by sj-iport-5.cisco.com with ESMTP; 09 Sep 2007 20:13:31 -0700
Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id l8A3DV9a006292; Sun, 9 Sep 2007 20:13:31 -0700
Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id l8A3DUEw010840; Mon, 10 Sep 2007 03:13:30 GMT
Received: from xfe-sjc-212.amer.cisco.com ([171.70.151.187]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Sun, 9 Sep 2007 20:13:30 -0700
Received: from sgundavewxp ([10.32.246.213]) by xfe-sjc-212.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Sun, 9 Sep 2007 20:13:30 -0700
From: Sri Gundavelli <sgundave@cisco.com>
To: 'Vijay Devarapalli' <vijay.devarapalli@AzaireNet.com>, 'Alper Yegin' <alper.yegin@yegin.org>
References: <Pine.GSO.4.63.0708070000100.13701@irp-view13.cisco.com> <0MKp8S-1IIKcu1WNe-0005rE@mrelay.perfora.net> <01e801c7f0c1$80e341c0$d4f6200a@amer.cisco.com> <46E4B02C.5010101@azairenet.com>
Subject: RE: [netlmm] Issue: Auth Option support
Date: Sun, 09 Sep 2007 20:13:29 -0700
Message-ID: <005f01c7f358$8ff1f960$d5f6200a@amer.cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
Thread-Index: AcfzVOlI/0yZah5ISJ2hahCBVDo86AAA5BOw
In-Reply-To: <46E4B02C.5010101@azairenet.com>
X-OriginalArrivalTime: 10 Sep 2007 03:13:30.0164 (UTC) FILETIME=[8FFB6F40:01C7F358]
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=5523; t=1189394011; x=1190258011; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=sgundave@cisco.com; z=From:=20=22Sri=20Gundavelli=22=20<sgundave@cisco.com> |Subject:=20RE=3A=20[netlmm]=20Issue=3A=20Auth=20Option=20support |Sender:=20; bh=cdgqa/yRuFxooj9FtS5hDzQn2YCr1v17fEzLeesuKCo=; b=EtUj+3hfh8A+Jw2R1UQPNzE4tbaDTpPhXP98lqyArjZOkSnTew2PxZXFKhaFe4YAmNOx14p4 g47+N9cIrUBCiHIpUmV8gTVrMVMguGVznlHajtMttTR+RzMFUgSxQ1vs;
Authentication-Results: sj-dkim-2; header.From=sgundave@cisco.com; dkim=pass ( sig from cisco.com/sjdkim2002 verified; );
X-Spam-Score: -4.0 (----)
X-Scan-Signature: 0cff8c3ec906d056784362c06f5f88c1
Cc: netlmm@ietf.org
X-BeenThere: netlmm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: NETLMM working group discussion list <netlmm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/netlmm>, <mailto:netlmm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/netlmm>
List-Post: <mailto:netlmm@ietf.org>
List-Help: <mailto:netlmm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/netlmm>, <mailto:netlmm-request@ietf.org?subject=subscribe>
Errors-To: netlmm-bounces@ietf.org

Vijay/Raj,

I agree. Will make these changes.

Sri
 

> -----Original Message-----
> From: Vijay Devarapalli [mailto:vijay.devarapalli@AzaireNet.com] 
> Sent: Sunday, September 09, 2007 7:47 PM
> To: Sri Gundavelli; 'Alper Yegin'
> Cc: netlmm@ietf.org
> Subject: Re: [netlmm] Issue: Auth Option support
> 
> Sri,
> 
> I agree with "SHOULD" for using IPsec and "MUST" for 
> supporting IPsec on 
> the MAG and the LMA.
> 
> If thats the consensus, we need to modify a few sentences in 
> the draft.
> 
> In section 4, replace
> 
> >    The signaling messages, Proxy Binding Update and Proxy Binding
> >    Acknowledgement, exchanged between the mobile access 
> gateway and the
> >    local mobility anchor MUST be protected using IPsec 
> [RFC-4301] and
> >    using the established security association between them.  The
> >    security association of the specific mobile node for which the
> >    signaling message is initiated is not required for 
> protecting these
> >    messages.
> 
> with
> 
>     The signaling messages, Proxy Binding Update and Proxy Binding
>     Acknowledgement, exchanged between the mobile access 
> gateway and the
>     local mobility anchor MUST be protected using security 
> associations
>     established between them. The security association of the specific
>     mobile node for which the signaling message is initiated is not
>     required for protecting these messages.
> 
> We need the MUST above since we have to say that the proxy BU 
> and proxy 
> BAck must be protected, irrespective of whether IPsec or some other 
> mechanism is used.
> 
> Add one sentence that says
> 
>     The mobile access gateway and the local mobility anchor MUST
>     implement IPsec for protecting the Proxy Mobile IPv6 signaling
>     messages [RFC-4301].
> 
> The paragraph that comes after already uses "SHOULD" for using ESP.
> 
> >    IPsec ESP [RFC-4303] in transport mode with mandatory integrity
> >    protection SHOULD be used for protecting the signaling messages.
> >    Confidentiality protection of these messages is not required.
> 
> Hope that is sufficient.
> 
> Vijay
> 
> 
> Sri Gundavelli wrote:
> > I want some comments on this issue raised by Alper.
> > 
> > 
> > Also, if I interpret Sec 5.1 [3775], the IPSec is being
> > mandated, only the use of IPsec ESP is optional. 
> > 
> > --------
> > 5.1.  Binding Updates to Home Agents
> > 
> >    The mobile node and the home agent MUST use an IPsec security
> >    association to protect the integrity and authenticity of 
> the Binding
> >    Updates and Acknowledgements.  Both the mobile nodes and the home
> >    agents MUST support and SHOULD use the Encapsulating 
> Security Payload
> >    (ESP) [6] header in transport mode and MUST use a 
> non-NULL payload
> >    authentication algorithm to provide data origin authentication,
> >    connectionless integrity and optional anti-replay 
> protection.  Note
> >    that Authentication Header (AH) [5] is also possible but 
> for brevity
> >    not discussed in this specification.
> > -------
> > 
> > 
> > I'm confused, should the draft say 
> > 
> > "Both LMA and MAG MUST implement IPsec" and
> > "all the signaling messages SHOULD be protected using IPSec".
> > 
> > Will this ok, when reviewed by the security folks ?
> > 
> > or mandate IPsec for this specification and let other draft
> > relax this in the presence of an alternative approach ?
> > 
> > Please comment.
> > 
> > 
> > Sri
> > 
> > 
> > 
> > 
> >  
> > 
> > 
> > 
> > 
> > 
> >> -----Original Message-----
> >> From: Alper Yegin [mailto:alper.yegin@yegin.org] 
> >> Sent: Tuesday, August 07, 2007 1:41 AM
> >> To: 'Sri Gundavelli'; netlmm@ietf.org
> >> Subject: RE: [netlmm] Issue: Auth Option support
> >>
> >>> The issue was related to the use of MUST clause in specifying
> >>> the IPSec requirement for Proxy Mobile IPv6 protocol. Alper
> >>> was suggesting that we relax that requirement and potentially
> >>> leave a room for Auth Option support in future.
> >> Actually, I didn't mean it specifically for Auth Option. It 
> >> can be anything.
> >> Given that the security is handled by a separate protocol, 
> >> why lock it down
> >> to "IPsec", when some other protocol (Auth Option being one 
> >> example) cannot
> >> be used.
> >>
> >>> But, as most people agreed and as supported by Jari, this can
> >> My understanding was the opposite, especially about Jari's 
> statement.
> >>
> >>> always be changed in future when the support for new security
> >>> mechanisms such as Auth Option are defined for Proxy Mobile IPv6
> >>> and that specific document can always modify this requirement.
> >>> So, no changes will be made to the document on this issue.
> >> What if Auth Option is good enough as written?
> >> What if a document in another SDO defines the alternative security
> >> mechanism?
> >>
> >> For the type of interop we are seeking in IETF, "MUST 
> >> implement" is good
> >> enough. "MUST use" is not necessary.
> >>
> >> Alper
> >>
> >>
> >>
> >>
> >>
> >>>
> >>> Regards
> >>> Sri
> >>>
> >>> _______________________________________________
> >>> netlmm mailing list
> >>> netlmm@ietf.org
> >>> https://www1.ietf.org/mailman/listinfo/netlmm
> > 
> > _______________________________________________
> > netlmm mailing list
> > netlmm@ietf.org
> > https://www1.ietf.org/mailman/listinfo/netlmm

_______________________________________________
netlmm mailing list
netlmm@ietf.org
https://www1.ietf.org/mailman/listinfo/netlmm

v2.23.0 | Report a Bug | By Email