IETF Logo Mail Archive

Re: [netlmm] Issue: Auth Option support

Alexandru Petrescu <alexandru.petrescu@gmail.com> Fri, 07 September 2007 12:52 UTC

Return-path: <netlmm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1ITdKI-0002Ws-2Y; Fri, 07 Sep 2007 08:52:46 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1ITdKH-0002Wj-Av for netlmm@ietf.org; Fri, 07 Sep 2007 08:52:45 -0400
Received: from mail119.messagelabs.com ([216.82.241.179]) by chiedprmail1.ietf.org with smtp (Exim 4.43) id 1ITdKG-0004GT-Uk for netlmm@ietf.org; Fri, 07 Sep 2007 08:52:45 -0400
X-VirusChecked: Checked
X-Env-Sender: alexandru.petrescu@gmail.com
X-Msg-Ref: server-4.tower-119.messagelabs.com!1189169564!25819797!1
X-StarScan-Version: 5.5.12.14.2; banners=.,-,-
X-Originating-IP: [129.188.136.8]
Received: (qmail 23636 invoked from network); 7 Sep 2007 12:52:44 -0000
Received: from motgate8.mot.com (HELO motgate8.mot.com) (129.188.136.8) by server-4.tower-119.messagelabs.com with SMTP; 7 Sep 2007 12:52:44 -0000
Received: from il06exr04.mot.com (il06exr04.mot.com [129.188.137.134]) by motgate8.mot.com (8.12.11/Motorola) with ESMTP id l87Cqi4E020372; Fri, 7 Sep 2007 05:52:44 -0700 (MST)
Received: from il06vts03.mot.com (il06vts03.mot.com [129.188.137.143]) by il06exr04.mot.com (8.13.1/Vontu) with SMTP id l87CqhHD005149; Fri, 7 Sep 2007 07:52:43 -0500 (CDT)
Received: from [127.0.0.1] (zfr01-2117.crm.mot.com [10.161.201.117]) by il06exr04.mot.com (8.13.1/8.13.0) with ESMTP id l87CqfIR005066; Fri, 7 Sep 2007 07:52:42 -0500 (CDT)
Message-ID: <46E14994.9060302@gmail.com>
Date: Fri, 07 Sep 2007 14:52:36 +0200
From: Alexandru Petrescu <alexandru.petrescu@gmail.com>
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Julien Laganier <julien.IETF@laposte.net>
Subject: Re: [netlmm] Issue: Auth Option support
References: <Pine.GSO.4.63.0708070000100.13701@irp-view13.cisco.com> <0MKp8S-1IIKcu1WNe-0005rE@mrelay.perfora.net> <01e801c7f0c1$80e341c0$d4f6200a@amer.cisco.com> <200709071429.19318.julien.IETF@laposte.net>
In-Reply-To: <200709071429.19318.julien.IETF@laposte.net>
Content-Type: text/plain; charset="ISO-8859-15"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Antivirus: avast! (VPS 000773-1, 06/09/2007), Outbound message
X-Antivirus-Status: Clean
X-CFilter-Loop: Reflected
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 538aad3a3c4f01d8b6a6477ca4248793
Cc: netlmm@ietf.org
X-BeenThere: netlmm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: NETLMM working group discussion list <netlmm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/netlmm>, <mailto:netlmm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/netlmm>
List-Post: <mailto:netlmm@ietf.org>
List-Help: <mailto:netlmm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/netlmm>, <mailto:netlmm-request@ietf.org?subject=subscribe>
Errors-To: netlmm-bounces@ietf.org

Julien Laganier wrote:
> Hi Sri,
> 
> On Thursday 06 September 2007, Sri Gundavelli wrote:
>> I'm confused, should the draft say
>>
>> "Both LMA and MAG MUST implement IPsec" and
>> "all the signaling messages SHOULD be protected using IPSec".
>>
>> Will this ok, when reviewed by the security folks ?
>>
>> or mandate IPsec for this specification and let other draft
>> relax this in the presence of an alternative approach ?
>>
>> Please comment.
> 
> Somehow, "MUST implement" and "SHOULD use" together seems a bit 
> tautologic. 
> 
> To me "SHOULD use" is sufficient since it covers both of the two 
> possibles cases:
> 
> - deployment follows the SHOULD recommendation, it uses IPsec to protect 
> PMIPv6, in which case it supports it, since it's using it :), or
> 
> - deployment ignores the SHOULD recommendation, does not uses IPSec, in 
> which case it is useless to implement it since it's not used...
> 
> I'd prefer having "MUST protect integrity of signalling messages, and 
> SHOULD use IPsec ESP to protect integrity of those messages". We might 
> also add "MAY use IPsec AH".

I'm not sure what you mean...

Do you mean to use ESP to offer authentication (integrity protection)? 
I'd suggest to make AH a should, for this purpose, not ESP.

Or do you mean to use ESP to offer confidentiality (encrypted packets)? 
  In this case, ESP is the only possibility to do confindentiality, 
because authopt doesn't; so not sure why needing to debate the use of 
ESP for confidentiality, it is pretty clear.

Also, when you say to protect integrity of signalling messages, which of 
those do you assume?  authopt only does bu/back, it doesn't do other 
mip6 signalling.  So I think you only assume integrity of bu/back, right?

Alex


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

_______________________________________________
netlmm mailing list
netlmm@ietf.org
https://www1.ietf.org/mailman/listinfo/netlmm

v2.23.0 | Report a Bug | By Email