IETF Logo Mail Archive

RE: [netlmm] Issue: Auth Option support

"Alper Yegin" <alper.yegin@yegin.org> Mon, 10 September 2007 19:55 UTC

Return-path: <netlmm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IUpLk-0000sM-1B; Mon, 10 Sep 2007 15:55:12 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IUpLj-0000sD-4O for netlmm@ietf.org; Mon, 10 Sep 2007 15:55:11 -0400
Received: from mout.perfora.net ([74.208.4.197]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IUpLh-000212-SZ for netlmm@ietf.org; Mon, 10 Sep 2007 15:55:11 -0400
Received: from [88.233.214.210] (helo=IBM52A5038A94F) by mrelay.perfora.net (node=mrus1) with ESMTP (Nemesis), id 0MKpCa-1IUpLU1Rc7-0007Sf; Mon, 10 Sep 2007 15:55:03 -0400
From: Alper Yegin <alper.yegin@yegin.org>
To: 'Vijay Devarapalli' <vijay.devarapalli@azairenet.com>, 'Ahmad Muhanna' <amuhanna@nortel.com>
Subject: RE: [netlmm] Issue: Auth Option support
Date: Mon, 10 Sep 2007 22:54:43 +0300
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
Thread-Index: Acfzu7JZN1cDF6CwQy+bGXbWNTVMwAAKH4yg
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
In-Reply-To: <46E55CA3.6040103@azairenet.com>
Message-Id: <0MKpCa-1IUpLU1Rc7-0007Sf@mrelay.perfora.net>
X-Provags-ID: V01U2FsdGVkX1/lTswggmf3TM+Ux43Hc3EvZ5b1VlnSqFOg9ac Ei27/1Ikfie62LkK1AFgiWCuh5u8uue5OZ+KhILPKYdGqHIhLy sBwnILhAnbYQDWaKUHIAA==
X-Spam-Score: -0.0 (/)
X-Scan-Signature: ff0adf256e4dd459cc25215cfa732ac1
Cc: netlmm@ietf.org
X-BeenThere: netlmm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: NETLMM working group discussion list <netlmm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/netlmm>, <mailto:netlmm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/netlmm>
List-Post: <mailto:netlmm@ietf.org>
List-Help: <mailto:netlmm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/netlmm>, <mailto:netlmm-request@ietf.org?subject=subscribe>
Errors-To: netlmm-bounces@ietf.org

I agree.

It is OK for the base spec to define one mechanism (IPsec) used with one
model (per-MAG-LMA SA). But we shall not limit all deployments to those
choices.

Alper

> -----Original Message-----
> From: Vijay Devarapalli [mailto:vijay.devarapalli@azairenet.com]
> Sent: Monday, September 10, 2007 6:03 PM
> To: Ahmad Muhanna
> Cc: Sri Gundavelli; Alper Yegin; netlmm@ietf.org
> Subject: Re: [netlmm] Issue: Auth Option support
> 
> Ahmad,
> 
> I don't believe the security model of using just one security
> association between the MAG and the LMA for protecting the proxy BU and
> Proxy BAck changes irrespective of whether IPsec or RFC 4285 is used. So
>   I don't agree with the suggested change.
> 
> Vijay
> 
> Ahmad Muhanna wrote:
> >
> >> Subject: Re: [netlmm] Issue: Auth Option support
> >>
> >> Sri,
> >>
> >> I agree with "SHOULD" for using IPsec and "MUST" for
> >> supporting IPsec on the MAG and the LMA.
> >>
> >> If thats the consensus, we need to modify a few sentences in
> >> the draft.
> >>
> >> In section 4, replace
> >>
> >>>    The signaling messages, Proxy Binding Update and Proxy Binding
> >>>    Acknowledgement, exchanged between the mobile access
> >> gateway and the
> >>>    local mobility anchor MUST be protected using IPsec
> >> [RFC-4301] and
> >>>    using the established security association between them.  The
> >>>    security association of the specific mobile node for which the
> >>>    signaling message is initiated is not required for
> >> protecting these
> >>>    messages.
> >> with
> >>
> >>     The signaling messages, Proxy Binding Update and Proxy Binding
> >>     Acknowledgement, exchanged between the mobile access
> >> gateway and the
> >>     local mobility anchor MUST be protected using security
> >> associations
> >>     established between them. The security association of the specific
> >>     mobile node for which the signaling message is initiated is not
> >>     required for protecting these messages.
> >>
> >> We need the MUST above since we have to say that the proxy BU
> >> and proxy BAck must be protected, irrespective of whether
> >> IPsec or some other mechanism is used.
> >
> > [Ahmad]
> > Hi Vijay,
> >
> > As far as I remember, the whole security concept of using a per-Node SA
> > for PMIPv6 was based on the use of IPsec. Although, I see why you
> > proposed the text but I still see a problem here. For example, the above
> > text allows the use of an authentication option similar to FA-HA AE to
> > secure the P-BU/P-BA.
> >
> > Now, since allowing a per-Node SA to be used in PMIPv6 was based on the
> > use of IPsec, I believe we clearly need to keep that as part of the spec
> > text.
> >
> > What about the following slight modification to what you just proposed:
> >
> >     The signaling messages, Proxy Binding Update and Proxy Binding
> >     Acknowledgement, exchanged between the mobile access gateway and the
> >     local mobility anchor MUST be protected using a security association
> >     established between them. If IPsec is used, the security association
> >
> >     of the specific mobile node for which the signaling message is
> > initiated
> >     is not required for protecting these messages.
> >
> > Thanks,
> > Ahmad
> >
> >> Add one sentence that says
> >>
> >>     The mobile access gateway and the local mobility anchor MUST
> >>     implement IPsec for protecting the Proxy Mobile IPv6 signaling
> >>     messages [RFC-4301].
> >>
> >> The paragraph that comes after already uses "SHOULD" for using ESP.
> >>
> >>>    IPsec ESP [RFC-4303] in transport mode with mandatory integrity
> >>>    protection SHOULD be used for protecting the signaling messages.
> >>>    Confidentiality protection of these messages is not required.
> >> Hope that is sufficient.
> >>
> >> Vijay
> >>
> >>
> >> Sri Gundavelli wrote:
> >>> I want some comments on this issue raised by Alper.
> >>>
> >>>
> >>> Also, if I interpret Sec 5.1 [3775], the IPSec is being
> >> mandated, only
> >>> the use of IPsec ESP is optional.
> >>>
> >>> --------
> >>> 5.1.  Binding Updates to Home Agents
> >>>
> >>>    The mobile node and the home agent MUST use an IPsec security
> >>>    association to protect the integrity and authenticity of
> >> the Binding
> >>>    Updates and Acknowledgements.  Both the mobile nodes and the home
> >>>    agents MUST support and SHOULD use the Encapsulating
> >> Security Payload
> >>>    (ESP) [6] header in transport mode and MUST use a
> >> non-NULL payload
> >>>    authentication algorithm to provide data origin authentication,
> >>>    connectionless integrity and optional anti-replay
> >> protection.  Note
> >>>    that Authentication Header (AH) [5] is also possible but
> >> for brevity
> >>>    not discussed in this specification.
> >>> -------
> >>>
> >>>
> >>> I'm confused, should the draft say
> >>>
> >>> "Both LMA and MAG MUST implement IPsec" and "all the signaling
> >>> messages SHOULD be protected using IPSec".
> >>>
> >>> Will this ok, when reviewed by the security folks ?
> >>>
> >>> or mandate IPsec for this specification and let other draft
> >> relax this
> >>> in the presence of an alternative approach ?
> >>>
> >>> Please comment.
> >>>
> >>>
> >>> Sri
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>> -----Original Message-----
> >>>> From: Alper Yegin [mailto:alper.yegin@yegin.org]
> >>>> Sent: Tuesday, August 07, 2007 1:41 AM
> >>>> To: 'Sri Gundavelli'; netlmm@ietf.org
> >>>> Subject: RE: [netlmm] Issue: Auth Option support
> >>>>
> >>>>> The issue was related to the use of MUST clause in specifying the
> >>>>> IPSec requirement for Proxy Mobile IPv6 protocol. Alper was
> >>>>> suggesting that we relax that requirement and potentially leave a
> >>>>> room for Auth Option support in future.
> >>>> Actually, I didn't mean it specifically for Auth Option. It can be
> >>>> anything.
> >>>> Given that the security is handled by a separate protocol,
> >> why lock
> >>>> it down to "IPsec", when some other protocol (Auth Option being one
> >>>> example) cannot
> >>>> be used.
> >>>>
> >>>>> But, as most people agreed and as supported by Jari, this can
> >>>> My understanding was the opposite, especially about Jari's
> >> statement.
> >>>>> always be changed in future when the support for new security
> >>>>> mechanisms such as Auth Option are defined for Proxy
> >> Mobile IPv6 and
> >>>>> that specific document can always modify this requirement.
> >>>>> So, no changes will be made to the document on this issue.
> >>>> What if Auth Option is good enough as written?
> >>>> What if a document in another SDO defines the alternative security
> >>>> mechanism?
> >>>>
> >>>> For the type of interop we are seeking in IETF, "MUST
> >> implement" is
> >>>> good enough. "MUST use" is not necessary.
> >>>>
> >>>> Alper
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>> Regards
> >>>>> Sri
> >>>>>
> >>>>> _______________________________________________
> >>>>> netlmm mailing list
> >>>>> netlmm@ietf.org
> >>>>> https://www1.ietf.org/mailman/listinfo/netlmm
> >>> _______________________________________________
> >>> netlmm mailing list
> >>> netlmm@ietf.org
> >>> https://www1.ietf.org/mailman/listinfo/netlmm
> >>
> >> _______________________________________________
> >> netlmm mailing list
> >> netlmm@ietf.org
> >> https://www1.ietf.org/mailman/listinfo/netlmm
> >>



_______________________________________________
netlmm mailing list
netlmm@ietf.org
https://www1.ietf.org/mailman/listinfo/netlmm

v2.23.0 | Report a Bug | By Email