Re: [netlmm] Issue: Auth Option support

Julien Laganier <julien.IETF@laposte.net> Fri, 07 September 2007 12:29 UTC

Return-path: <netlmm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1ITcxq-0003T7-AC; Fri, 07 Sep 2007 08:29:34 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1ITcxo-0003T2-Is for netlmm@ietf.org; Fri, 07 Sep 2007 08:29:32 -0400
Received: from hu-out-0506.google.com ([72.14.214.239]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1ITcxn-0003hL-Cb for netlmm@ietf.org; Fri, 07 Sep 2007 08:29:32 -0400
Received: by hu-out-0506.google.com with SMTP id 31so133082huc for <netlmm@ietf.org>; Fri, 07 Sep 2007 05:29:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:from:to:subject:date:user-agent:cc:references:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:message-id:sender; bh=Ont4xDK9jG451A+IiRsNDAiYIr4Q0fCquLnO7Io+CgU=; b=PYvCpGVSmaKwqw1+mYV1L/t15FE5nkOXIZT7RW5FQw8c/NbTAbhEbCIPPqQfPBorkiT8yHLTy8+zdFLPnwy33EsBt7b9KisapZzNbZDJ6xb28+rGWpMdKxc3JFCqE8FkIJ17oP5mMhvfdeHBFNH2CjYCC65ryUDXUmHE6vYbf0g=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:from:to:subject:date:user-agent:cc:references:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:message-id:sender; b=rP3vAMx5SIRv2kOdlaBK73v+nz4NV1nSKSkmUMbI4bKSFLfHJDc7/LrYNSCWjohAke5DRHvSmplRWCEH6ee53QT3RkP/3y2heYlZVwFwr0JfIZzs/z12XmOtMXUU/YVtcCdL/zAbEHqyxDWp+vR8X5EC/CFDaFvfmOUvVlwdw0o=
Received: by 10.86.23.17 with SMTP id 17mr1391810fgw.1189168169942; Fri, 07 Sep 2007 05:29:29 -0700 (PDT)
Received: from klee.local ( [212.119.9.178]) by mx.google.com with ESMTPS id 2sm3212942nfv.2007.09.07.05.29.25 (version=SSLv3 cipher=OTHER); Fri, 07 Sep 2007 05:29:27 -0700 (PDT)
From: Julien Laganier <julien.IETF@laposte.net>
To: netlmm@ietf.org
Subject: Re: [netlmm] Issue: Auth Option support
Date: Fri, 07 Sep 2007 14:29:19 +0200
User-Agent: KMail/1.9.6
References: <Pine.GSO.4.63.0708070000100.13701@irp-view13.cisco.com> <0MKp8S-1IIKcu1WNe-0005rE@mrelay.perfora.net> <01e801c7f0c1$80e341c0$d4f6200a@amer.cisco.com>
In-Reply-To: <01e801c7f0c1$80e341c0$d4f6200a@amer.cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-15"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200709071429.19318.julien.IETF@laposte.net>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 8abaac9e10c826e8252866cbe6766464
Cc:
X-BeenThere: netlmm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: NETLMM working group discussion list <netlmm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/netlmm>, <mailto:netlmm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/netlmm>
List-Post: <mailto:netlmm@ietf.org>
List-Help: <mailto:netlmm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/netlmm>, <mailto:netlmm-request@ietf.org?subject=subscribe>
Errors-To: netlmm-bounces@ietf.org

Hi Sri,

On Thursday 06 September 2007, Sri Gundavelli wrote:
> I'm confused, should the draft say
>
> "Both LMA and MAG MUST implement IPsec" and
> "all the signaling messages SHOULD be protected using IPSec".
>
> Will this ok, when reviewed by the security folks ?
>
> or mandate IPsec for this specification and let other draft
> relax this in the presence of an alternative approach ?
>
> Please comment.

Somehow, "MUST implement" and "SHOULD use" together seems a bit 
tautologic. 

To me "SHOULD use" is sufficient since it covers both of the two 
possibles cases:

- deployment follows the SHOULD recommendation, it uses IPsec to protect 
PMIPv6, in which case it supports it, since it's using it :), or

- deployment ignores the SHOULD recommendation, does not uses IPSec, in 
which case it is useless to implement it since it's not used...

I'd prefer having "MUST protect integrity of signalling messages, and 
SHOULD use IPsec ESP to protect integrity of those messages". We might 
also add "MAY use IPsec AH".

--julien

_______________________________________________
netlmm mailing list
netlmm@ietf.org
https://www1.ietf.org/mailman/listinfo/netlmm