RE: [netlmm] Issue: Auth Option support
"Alper Yegin" <alper.yegin@yegin.org> Mon, 10 September 2007 19:55 UTC
Return-path: <netlmm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IUpLk-0000sM-1B; Mon, 10 Sep 2007 15:55:12 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IUpLj-0000sD-4O for netlmm@ietf.org; Mon, 10 Sep 2007 15:55:11 -0400
Received: from mout.perfora.net ([74.208.4.197]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IUpLh-000212-SZ for netlmm@ietf.org; Mon, 10 Sep 2007 15:55:11 -0400
Received: from [88.233.214.210] (helo=IBM52A5038A94F) by mrelay.perfora.net (node=mrus1) with ESMTP (Nemesis), id 0MKpCa-1IUpLU1Rc7-0007Sf; Mon, 10 Sep 2007 15:55:03 -0400
From: Alper Yegin <alper.yegin@yegin.org>
To: 'Vijay Devarapalli' <vijay.devarapalli@azairenet.com>, 'Ahmad Muhanna' <amuhanna@nortel.com>
Subject: RE: [netlmm] Issue: Auth Option support
Date: Mon, 10 Sep 2007 22:54:43 +0300
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
Thread-Index: Acfzu7JZN1cDF6CwQy+bGXbWNTVMwAAKH4yg
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
In-Reply-To: <46E55CA3.6040103@azairenet.com>
Message-Id: <0MKpCa-1IUpLU1Rc7-0007Sf@mrelay.perfora.net>
X-Provags-ID: V01U2FsdGVkX1/lTswggmf3TM+Ux43Hc3EvZ5b1VlnSqFOg9ac Ei27/1Ikfie62LkK1AFgiWCuh5u8uue5OZ+KhILPKYdGqHIhLy sBwnILhAnbYQDWaKUHIAA==
X-Spam-Score: -0.0 (/)
X-Scan-Signature: ff0adf256e4dd459cc25215cfa732ac1
Cc: netlmm@ietf.org
X-BeenThere: netlmm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: NETLMM working group discussion list <netlmm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/netlmm>, <mailto:netlmm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/netlmm>
List-Post: <mailto:netlmm@ietf.org>
List-Help: <mailto:netlmm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/netlmm>, <mailto:netlmm-request@ietf.org?subject=subscribe>
Errors-To: netlmm-bounces@ietf.org
I agree. It is OK for the base spec to define one mechanism (IPsec) used with one model (per-MAG-LMA SA). But we shall not limit all deployments to those choices. Alper > -----Original Message----- > From: Vijay Devarapalli [mailto:vijay.devarapalli@azairenet.com] > Sent: Monday, September 10, 2007 6:03 PM > To: Ahmad Muhanna > Cc: Sri Gundavelli; Alper Yegin; netlmm@ietf.org > Subject: Re: [netlmm] Issue: Auth Option support > > Ahmad, > > I don't believe the security model of using just one security > association between the MAG and the LMA for protecting the proxy BU and > Proxy BAck changes irrespective of whether IPsec or RFC 4285 is used. So > I don't agree with the suggested change. > > Vijay > > Ahmad Muhanna wrote: > > > >> Subject: Re: [netlmm] Issue: Auth Option support > >> > >> Sri, > >> > >> I agree with "SHOULD" for using IPsec and "MUST" for > >> supporting IPsec on the MAG and the LMA. > >> > >> If thats the consensus, we need to modify a few sentences in > >> the draft. > >> > >> In section 4, replace > >> > >>> The signaling messages, Proxy Binding Update and Proxy Binding > >>> Acknowledgement, exchanged between the mobile access > >> gateway and the > >>> local mobility anchor MUST be protected using IPsec > >> [RFC-4301] and > >>> using the established security association between them. The > >>> security association of the specific mobile node for which the > >>> signaling message is initiated is not required for > >> protecting these > >>> messages. > >> with > >> > >> The signaling messages, Proxy Binding Update and Proxy Binding > >> Acknowledgement, exchanged between the mobile access > >> gateway and the > >> local mobility anchor MUST be protected using security > >> associations > >> established between them. The security association of the specific > >> mobile node for which the signaling message is initiated is not > >> required for protecting these messages. > >> > >> We need the MUST above since we have to say that the proxy BU > >> and proxy BAck must be protected, irrespective of whether > >> IPsec or some other mechanism is used. > > > > [Ahmad] > > Hi Vijay, > > > > As far as I remember, the whole security concept of using a per-Node SA > > for PMIPv6 was based on the use of IPsec. Although, I see why you > > proposed the text but I still see a problem here. For example, the above > > text allows the use of an authentication option similar to FA-HA AE to > > secure the P-BU/P-BA. > > > > Now, since allowing a per-Node SA to be used in PMIPv6 was based on the > > use of IPsec, I believe we clearly need to keep that as part of the spec > > text. > > > > What about the following slight modification to what you just proposed: > > > > The signaling messages, Proxy Binding Update and Proxy Binding > > Acknowledgement, exchanged between the mobile access gateway and the > > local mobility anchor MUST be protected using a security association > > established between them. If IPsec is used, the security association > > > > of the specific mobile node for which the signaling message is > > initiated > > is not required for protecting these messages. > > > > Thanks, > > Ahmad > > > >> Add one sentence that says > >> > >> The mobile access gateway and the local mobility anchor MUST > >> implement IPsec for protecting the Proxy Mobile IPv6 signaling > >> messages [RFC-4301]. > >> > >> The paragraph that comes after already uses "SHOULD" for using ESP. > >> > >>> IPsec ESP [RFC-4303] in transport mode with mandatory integrity > >>> protection SHOULD be used for protecting the signaling messages. > >>> Confidentiality protection of these messages is not required. > >> Hope that is sufficient. > >> > >> Vijay > >> > >> > >> Sri Gundavelli wrote: > >>> I want some comments on this issue raised by Alper. > >>> > >>> > >>> Also, if I interpret Sec 5.1 [3775], the IPSec is being > >> mandated, only > >>> the use of IPsec ESP is optional. > >>> > >>> -------- > >>> 5.1. Binding Updates to Home Agents > >>> > >>> The mobile node and the home agent MUST use an IPsec security > >>> association to protect the integrity and authenticity of > >> the Binding > >>> Updates and Acknowledgements. Both the mobile nodes and the home > >>> agents MUST support and SHOULD use the Encapsulating > >> Security Payload > >>> (ESP) [6] header in transport mode and MUST use a > >> non-NULL payload > >>> authentication algorithm to provide data origin authentication, > >>> connectionless integrity and optional anti-replay > >> protection. Note > >>> that Authentication Header (AH) [5] is also possible but > >> for brevity > >>> not discussed in this specification. > >>> ------- > >>> > >>> > >>> I'm confused, should the draft say > >>> > >>> "Both LMA and MAG MUST implement IPsec" and "all the signaling > >>> messages SHOULD be protected using IPSec". > >>> > >>> Will this ok, when reviewed by the security folks ? > >>> > >>> or mandate IPsec for this specification and let other draft > >> relax this > >>> in the presence of an alternative approach ? > >>> > >>> Please comment. > >>> > >>> > >>> Sri > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>>> -----Original Message----- > >>>> From: Alper Yegin [mailto:alper.yegin@yegin.org] > >>>> Sent: Tuesday, August 07, 2007 1:41 AM > >>>> To: 'Sri Gundavelli'; netlmm@ietf.org > >>>> Subject: RE: [netlmm] Issue: Auth Option support > >>>> > >>>>> The issue was related to the use of MUST clause in specifying the > >>>>> IPSec requirement for Proxy Mobile IPv6 protocol. Alper was > >>>>> suggesting that we relax that requirement and potentially leave a > >>>>> room for Auth Option support in future. > >>>> Actually, I didn't mean it specifically for Auth Option. It can be > >>>> anything. > >>>> Given that the security is handled by a separate protocol, > >> why lock > >>>> it down to "IPsec", when some other protocol (Auth Option being one > >>>> example) cannot > >>>> be used. > >>>> > >>>>> But, as most people agreed and as supported by Jari, this can > >>>> My understanding was the opposite, especially about Jari's > >> statement. > >>>>> always be changed in future when the support for new security > >>>>> mechanisms such as Auth Option are defined for Proxy > >> Mobile IPv6 and > >>>>> that specific document can always modify this requirement. > >>>>> So, no changes will be made to the document on this issue. > >>>> What if Auth Option is good enough as written? > >>>> What if a document in another SDO defines the alternative security > >>>> mechanism? > >>>> > >>>> For the type of interop we are seeking in IETF, "MUST > >> implement" is > >>>> good enough. "MUST use" is not necessary. > >>>> > >>>> Alper > >>>> > >>>> > >>>> > >>>> > >>>> > >>>>> Regards > >>>>> Sri > >>>>> > >>>>> _______________________________________________ > >>>>> netlmm mailing list > >>>>> netlmm@ietf.org > >>>>> https://www1.ietf.org/mailman/listinfo/netlmm > >>> _______________________________________________ > >>> netlmm mailing list > >>> netlmm@ietf.org > >>> https://www1.ietf.org/mailman/listinfo/netlmm > >> > >> _______________________________________________ > >> netlmm mailing list > >> netlmm@ietf.org > >> https://www1.ietf.org/mailman/listinfo/netlmm > >> _______________________________________________ netlmm mailing list netlmm@ietf.org https://www1.ietf.org/mailman/listinfo/netlmm
- [netlmm] (no subject) LAI, SHOU WEN -HCHBJ
- RE: [netlmm] Issue: Auth Option support Alper Yegin
- RE: [netlmm] Issue: Auth Option support Sri Gundavelli
- [netlmm] (no subject) Christian Vogt
- [netlmm] Re: your mail Sri Gundavelli
- [netlmm] Issue: Auth Option support Sri Gundavelli
- RE: [netlmm] Issue: Auth Option support Alper Yegin
- Re: [netlmm] Issue: Auth Option support Christian Vogt
- Re: [netlmm] Issue: Auth Option support Vijay Devarapalli
- RE: [netlmm] Issue: Auth Option support Chowdhury, Kuntal
- RE: [netlmm] Issue: Auth Option support Sri Gundavelli
- Re: [netlmm] Issue: Auth Option support Alexandru Petrescu
- RE: [netlmm] Issue: Auth Option support Alper Yegin
- Re: [netlmm] Issue: Auth Option support Alexandru Petrescu
- Re: [netlmm] Issue: Auth Option support Julien Laganier
- Re: [netlmm] Issue: Auth Option support Alexandru Petrescu
- Re: [netlmm] Issue: Auth Option support Julien Laganier
- Re: [netlmm] Issue: Auth Option support Alexandru Petrescu
- RE: [netlmm] Issue: Auth Option support Sri Gundavelli
- RE: [netlmm] Issue: Auth Option support Narayanan, Vidya
- Re: [netlmm] Issue: Auth Option support Basavaraj Patil
- RE: [netlmm] Issue: Auth Option support Sri Gundavelli
- Re: [netlmm] Issue: Auth Option support Basavaraj Patil
- Re: [netlmm] Issue: Auth Option support Vijay Devarapalli
- RE: [netlmm] Issue: Auth Option support Sri Gundavelli
- RE: [netlmm] Issue: Auth Option support Alper Yegin
- Re: [netlmm] Issue: Auth Option support Julien Laganier
- RE: [netlmm] Issue: Auth Option support Ahmad Muhanna
- RE: [netlmm] Issue: Auth Option support Ahmad Muhanna
- Re: [netlmm] Issue: Auth Option support Vijay Devarapalli
- Re: [netlmm] Issue: Auth Option support Vijay Devarapalli
- Re: [netlmm] Issue: Auth Option support Vijay Devarapalli
- RE: [netlmm] Issue: Auth Option support DE JUAN HUARTE FEDERICO
- RE: [netlmm] Issue: Auth Option support Ahmad Muhanna
- RE: [netlmm] Issue: Auth Option support Alper Yegin
- RE: [netlmm] Issue: Auth Option support Alper Yegin
- Re: [netlmm] Issue: Auth Option support Vijay Devarapalli
- [netlmm] Question on security model DE JUAN HUARTE FEDERICO
- RE: [netlmm] Question on security model Sri Gundavelli
- [netlmm] RE: Question on security model Ahmad Muhanna
- Re: [netlmm] Question on security model Julien Laganier
- RE: [netlmm] Question on security model Alper Yegin
- [netlmm] (no subject) Lynoh MaGee