RE: [netlmm] Issue: Auth Option support
"Sri Gundavelli" <sgundave@cisco.com> Mon, 10 September 2007 03:13 UTC
Return-path: <netlmm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IUZiR-0004q5-Hc; Sun, 09 Sep 2007 23:13:35 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IUZiP-0004Z9-IH for netlmm@ietf.org; Sun, 09 Sep 2007 23:13:33 -0400
Received: from sj-iport-5.cisco.com ([171.68.10.87]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IUZiO-0006jo-4G for netlmm@ietf.org; Sun, 09 Sep 2007 23:13:33 -0400
X-IronPort-AV: E=Sophos;i="4.20,228,1186383600"; d="scan'208";a="175168631"
Received: from sj-dkim-2.cisco.com ([171.71.179.186]) by sj-iport-5.cisco.com with ESMTP; 09 Sep 2007 20:13:31 -0700
Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id l8A3DV9a006292; Sun, 9 Sep 2007 20:13:31 -0700
Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id l8A3DUEw010840; Mon, 10 Sep 2007 03:13:30 GMT
Received: from xfe-sjc-212.amer.cisco.com ([171.70.151.187]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Sun, 9 Sep 2007 20:13:30 -0700
Received: from sgundavewxp ([10.32.246.213]) by xfe-sjc-212.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Sun, 9 Sep 2007 20:13:30 -0700
From: Sri Gundavelli <sgundave@cisco.com>
To: 'Vijay Devarapalli' <vijay.devarapalli@AzaireNet.com>, 'Alper Yegin' <alper.yegin@yegin.org>
References: <Pine.GSO.4.63.0708070000100.13701@irp-view13.cisco.com> <0MKp8S-1IIKcu1WNe-0005rE@mrelay.perfora.net> <01e801c7f0c1$80e341c0$d4f6200a@amer.cisco.com> <46E4B02C.5010101@azairenet.com>
Subject: RE: [netlmm] Issue: Auth Option support
Date: Sun, 09 Sep 2007 20:13:29 -0700
Message-ID: <005f01c7f358$8ff1f960$d5f6200a@amer.cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
Thread-Index: AcfzVOlI/0yZah5ISJ2hahCBVDo86AAA5BOw
In-Reply-To: <46E4B02C.5010101@azairenet.com>
X-OriginalArrivalTime: 10 Sep 2007 03:13:30.0164 (UTC) FILETIME=[8FFB6F40:01C7F358]
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=5523; t=1189394011; x=1190258011; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=sgundave@cisco.com; z=From:=20=22Sri=20Gundavelli=22=20<sgundave@cisco.com> |Subject:=20RE=3A=20[netlmm]=20Issue=3A=20Auth=20Option=20support |Sender:=20; bh=cdgqa/yRuFxooj9FtS5hDzQn2YCr1v17fEzLeesuKCo=; b=EtUj+3hfh8A+Jw2R1UQPNzE4tbaDTpPhXP98lqyArjZOkSnTew2PxZXFKhaFe4YAmNOx14p4 g47+N9cIrUBCiHIpUmV8gTVrMVMguGVznlHajtMttTR+RzMFUgSxQ1vs;
Authentication-Results: sj-dkim-2; header.From=sgundave@cisco.com; dkim=pass ( sig from cisco.com/sjdkim2002 verified; );
X-Spam-Score: -4.0 (----)
X-Scan-Signature: 0cff8c3ec906d056784362c06f5f88c1
Cc: netlmm@ietf.org
X-BeenThere: netlmm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: NETLMM working group discussion list <netlmm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/netlmm>, <mailto:netlmm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/netlmm>
List-Post: <mailto:netlmm@ietf.org>
List-Help: <mailto:netlmm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/netlmm>, <mailto:netlmm-request@ietf.org?subject=subscribe>
Errors-To: netlmm-bounces@ietf.org
Vijay/Raj, I agree. Will make these changes. Sri > -----Original Message----- > From: Vijay Devarapalli [mailto:vijay.devarapalli@AzaireNet.com] > Sent: Sunday, September 09, 2007 7:47 PM > To: Sri Gundavelli; 'Alper Yegin' > Cc: netlmm@ietf.org > Subject: Re: [netlmm] Issue: Auth Option support > > Sri, > > I agree with "SHOULD" for using IPsec and "MUST" for > supporting IPsec on > the MAG and the LMA. > > If thats the consensus, we need to modify a few sentences in > the draft. > > In section 4, replace > > > The signaling messages, Proxy Binding Update and Proxy Binding > > Acknowledgement, exchanged between the mobile access > gateway and the > > local mobility anchor MUST be protected using IPsec > [RFC-4301] and > > using the established security association between them. The > > security association of the specific mobile node for which the > > signaling message is initiated is not required for > protecting these > > messages. > > with > > The signaling messages, Proxy Binding Update and Proxy Binding > Acknowledgement, exchanged between the mobile access > gateway and the > local mobility anchor MUST be protected using security > associations > established between them. The security association of the specific > mobile node for which the signaling message is initiated is not > required for protecting these messages. > > We need the MUST above since we have to say that the proxy BU > and proxy > BAck must be protected, irrespective of whether IPsec or some other > mechanism is used. > > Add one sentence that says > > The mobile access gateway and the local mobility anchor MUST > implement IPsec for protecting the Proxy Mobile IPv6 signaling > messages [RFC-4301]. > > The paragraph that comes after already uses "SHOULD" for using ESP. > > > IPsec ESP [RFC-4303] in transport mode with mandatory integrity > > protection SHOULD be used for protecting the signaling messages. > > Confidentiality protection of these messages is not required. > > Hope that is sufficient. > > Vijay > > > Sri Gundavelli wrote: > > I want some comments on this issue raised by Alper. > > > > > > Also, if I interpret Sec 5.1 [3775], the IPSec is being > > mandated, only the use of IPsec ESP is optional. > > > > -------- > > 5.1. Binding Updates to Home Agents > > > > The mobile node and the home agent MUST use an IPsec security > > association to protect the integrity and authenticity of > the Binding > > Updates and Acknowledgements. Both the mobile nodes and the home > > agents MUST support and SHOULD use the Encapsulating > Security Payload > > (ESP) [6] header in transport mode and MUST use a > non-NULL payload > > authentication algorithm to provide data origin authentication, > > connectionless integrity and optional anti-replay > protection. Note > > that Authentication Header (AH) [5] is also possible but > for brevity > > not discussed in this specification. > > ------- > > > > > > I'm confused, should the draft say > > > > "Both LMA and MAG MUST implement IPsec" and > > "all the signaling messages SHOULD be protected using IPSec". > > > > Will this ok, when reviewed by the security folks ? > > > > or mandate IPsec for this specification and let other draft > > relax this in the presence of an alternative approach ? > > > > Please comment. > > > > > > Sri > > > > > > > > > > > > > > > > > > > > > >> -----Original Message----- > >> From: Alper Yegin [mailto:alper.yegin@yegin.org] > >> Sent: Tuesday, August 07, 2007 1:41 AM > >> To: 'Sri Gundavelli'; netlmm@ietf.org > >> Subject: RE: [netlmm] Issue: Auth Option support > >> > >>> The issue was related to the use of MUST clause in specifying > >>> the IPSec requirement for Proxy Mobile IPv6 protocol. Alper > >>> was suggesting that we relax that requirement and potentially > >>> leave a room for Auth Option support in future. > >> Actually, I didn't mean it specifically for Auth Option. It > >> can be anything. > >> Given that the security is handled by a separate protocol, > >> why lock it down > >> to "IPsec", when some other protocol (Auth Option being one > >> example) cannot > >> be used. > >> > >>> But, as most people agreed and as supported by Jari, this can > >> My understanding was the opposite, especially about Jari's > statement. > >> > >>> always be changed in future when the support for new security > >>> mechanisms such as Auth Option are defined for Proxy Mobile IPv6 > >>> and that specific document can always modify this requirement. > >>> So, no changes will be made to the document on this issue. > >> What if Auth Option is good enough as written? > >> What if a document in another SDO defines the alternative security > >> mechanism? > >> > >> For the type of interop we are seeking in IETF, "MUST > >> implement" is good > >> enough. "MUST use" is not necessary. > >> > >> Alper > >> > >> > >> > >> > >> > >>> > >>> Regards > >>> Sri > >>> > >>> _______________________________________________ > >>> netlmm mailing list > >>> netlmm@ietf.org > >>> https://www1.ietf.org/mailman/listinfo/netlmm > > > > _______________________________________________ > > netlmm mailing list > > netlmm@ietf.org > > https://www1.ietf.org/mailman/listinfo/netlmm _______________________________________________ netlmm mailing list netlmm@ietf.org https://www1.ietf.org/mailman/listinfo/netlmm
- [netlmm] (no subject) LAI, SHOU WEN -HCHBJ
- RE: [netlmm] Issue: Auth Option support Alper Yegin
- RE: [netlmm] Issue: Auth Option support Sri Gundavelli
- [netlmm] (no subject) Christian Vogt
- [netlmm] Re: your mail Sri Gundavelli
- [netlmm] Issue: Auth Option support Sri Gundavelli
- RE: [netlmm] Issue: Auth Option support Alper Yegin
- Re: [netlmm] Issue: Auth Option support Christian Vogt
- Re: [netlmm] Issue: Auth Option support Vijay Devarapalli
- RE: [netlmm] Issue: Auth Option support Chowdhury, Kuntal
- RE: [netlmm] Issue: Auth Option support Sri Gundavelli
- Re: [netlmm] Issue: Auth Option support Alexandru Petrescu
- RE: [netlmm] Issue: Auth Option support Alper Yegin
- Re: [netlmm] Issue: Auth Option support Alexandru Petrescu
- Re: [netlmm] Issue: Auth Option support Julien Laganier
- Re: [netlmm] Issue: Auth Option support Alexandru Petrescu
- Re: [netlmm] Issue: Auth Option support Julien Laganier
- Re: [netlmm] Issue: Auth Option support Alexandru Petrescu
- RE: [netlmm] Issue: Auth Option support Sri Gundavelli
- RE: [netlmm] Issue: Auth Option support Narayanan, Vidya
- Re: [netlmm] Issue: Auth Option support Basavaraj Patil
- RE: [netlmm] Issue: Auth Option support Sri Gundavelli
- Re: [netlmm] Issue: Auth Option support Basavaraj Patil
- Re: [netlmm] Issue: Auth Option support Vijay Devarapalli
- RE: [netlmm] Issue: Auth Option support Sri Gundavelli
- RE: [netlmm] Issue: Auth Option support Alper Yegin
- Re: [netlmm] Issue: Auth Option support Julien Laganier
- RE: [netlmm] Issue: Auth Option support Ahmad Muhanna
- RE: [netlmm] Issue: Auth Option support Ahmad Muhanna
- Re: [netlmm] Issue: Auth Option support Vijay Devarapalli
- Re: [netlmm] Issue: Auth Option support Vijay Devarapalli
- Re: [netlmm] Issue: Auth Option support Vijay Devarapalli
- RE: [netlmm] Issue: Auth Option support DE JUAN HUARTE FEDERICO
- RE: [netlmm] Issue: Auth Option support Ahmad Muhanna
- RE: [netlmm] Issue: Auth Option support Alper Yegin
- RE: [netlmm] Issue: Auth Option support Alper Yegin
- Re: [netlmm] Issue: Auth Option support Vijay Devarapalli
- [netlmm] Question on security model DE JUAN HUARTE FEDERICO
- RE: [netlmm] Question on security model Sri Gundavelli
- [netlmm] RE: Question on security model Ahmad Muhanna
- Re: [netlmm] Question on security model Julien Laganier
- RE: [netlmm] Question on security model Alper Yegin
- [netlmm] (no subject) Lynoh MaGee