Re: [netlmm] Issue: Auth Option support
Vijay Devarapalli <vijay.devarapalli@azairenet.com> Mon, 10 September 2007 15:17 UTC
Return-path: <netlmm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IUl0r-0004se-2d; Mon, 10 Sep 2007 11:17:21 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IUl0q-0004sZ-6h for netlmm@ietf.org; Mon, 10 Sep 2007 11:17:20 -0400
Received: from mail2.azairenet.com ([207.47.15.6]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IUl0o-0000IY-Ub for netlmm@ietf.org; Mon, 10 Sep 2007 11:17:20 -0400
Received: from [127.0.0.1] ([67.180.82.252]) by mail2.azairenet.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.1830); Mon, 10 Sep 2007 08:17:17 -0700
Message-ID: <46E55FF6.7090008@azairenet.com>
Date: Mon, 10 Sep 2007 08:17:10 -0700
From: Vijay Devarapalli <vijay.devarapalli@azairenet.com>
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Alper Yegin <alper.yegin@yegin.org>
Subject: Re: [netlmm] Issue: Auth Option support
References: <0MKp8S-1IUeUz2OGw-0008RA@mrelay.perfora.net>
In-Reply-To: <0MKp8S-1IUeUz2OGw-0008RA@mrelay.perfora.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 10 Sep 2007 15:17:18.0005 (UTC) FILETIME=[ACFE1650:01C7F3BD]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: b1c41982e167b872076d0018e4e1dc3c
Cc: netlmm@ietf.org
X-BeenThere: netlmm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: NETLMM working group discussion list <netlmm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/netlmm>, <mailto:netlmm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/netlmm>
List-Post: <mailto:netlmm@ietf.org>
List-Help: <mailto:netlmm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/netlmm>, <mailto:netlmm-request@ietf.org?subject=subscribe>
Errors-To: netlmm-bounces@ietf.org
Alper, When we need to ensure interoperability, we use "MUST" and not "SHOULD". Vijay Alper Yegin wrote: > For interop "SHOULD implement and use", or even "SHOULD use" (like Julien > explained) is fine. "SHOULD" means "you better know what you are doing if > you don't follow", and that's exactly the case. > > If both ends are using some other mechanism and they know what each other > supports, they should not have to worry about (and implement) the mechanism > in the base spec. This is what SHOULD is for. > > Alper > > >> -----Original Message----- >> From: Narayanan, Vidya [mailto:vidyan@qualcomm.com] >> Sent: Friday, September 07, 2007 10:27 PM >> To: Sri Gundavelli; Julien Laganier; netlmm@ietf.org >> Subject: RE: [netlmm] Issue: Auth Option support >> >> All, >> On this topic, I believe we must have a mandatory to implement mechanism >> specified for standards track publication. We can leave the use at >> "RECOMMENDED" or "SHOULD", but, we need a "MUST" on what the LMA and MAG >> need to implement. >> >> I had run this by the security directorate at the Chicago meeting and my >> understanding is that as long as we have "MUST implement IPsec" and >> "SHOULD use IPsec", it would be fine. >> >> In other words, the SHOULD vs. MUST that we want to place on using IPsec >> can be discussed, but, the "MUST" on implementation is non-negotiable. >> >> This is inline with my understanding on what we need to state for a >> complete specification. Given that channel security of signaling >> messages is mandatory, unless we have at least one common denominator >> that the MAG and LMA implementors will implement, we cannot ensure >> interoperability. If they support multiple common mechanisms and chose >> to use something other than IPsec, that's fine - hence, the "SHOULD" on >> usage. >> >> Hope that helps. >> >> Thanks, >> Vidya >> >>> -----Original Message----- >>> From: Sri Gundavelli [mailto:sgundave@cisco.com] >>> Sent: Friday, September 07, 2007 10:10 AM >>> To: 'Julien Laganier'; netlmm@ietf.org >>> Subject: RE: [netlmm] Issue: Auth Option support >>> >>> Hi Julien, >>> >>> >>> >>>> -----Original Message----- >>>> From: julien laganier [mailto:julien.laganier@gmail.com] On >>> Behalf Of >>>> Julien Laganier >>>> Sent: Friday, September 07, 2007 5:29 AM >>>> To: netlmm@ietf.org >>>> Cc: Sri Gundavelli; 'Alper Yegin' >>>> Subject: Re: [netlmm] Issue: Auth Option support >>>> >>>> Hi Sri, >>>> >>>> On Thursday 06 September 2007, Sri Gundavelli wrote: >>>>> I'm confused, should the draft say >>>>> >>>>> "Both LMA and MAG MUST implement IPsec" and "all the signaling >>>>> messages SHOULD be protected using IPSec". >>>>> >>>>> Will this ok, when reviewed by the security folks ? >>>>> >>>>> or mandate IPsec for this specification and let other draft relax >>>>> this in the presence of an alternative approach ? >>>>> >>>>> Please comment. >>>> Somehow, "MUST implement" and "SHOULD use" together seems a bit >>>> tautologic. >>>> >>>> To me "SHOULD use" is sufficient since it covers both of the two >>>> possibles cases: >>>> >>>> - deployment follows the SHOULD recommendation, it uses IPsec to >>>> protect PMIPv6, in which case it supports it, since it's >>> using it :), >>>> or >>>> >>>> - deployment ignores the SHOULD recommendation, does not >>> uses IPSec, >>>> in which case it is useless to implement it since it's not used... >>>> >>>> I'd prefer having "MUST protect integrity of signalling >>> messages, and >>>> SHOULD use IPsec ESP to protect integrity of those messages". >>>> We might >>>> also add "MAY use IPsec AH". >>>> >>> >>> I agree. I'm not against allowing other approaches. I'm only >>> concerned, if we can leave the draft saying, "MUST protect >>> integrity of signalling messages", with out specifying IPsec >>> or some other approach. If that will pass the security >>> review. We may have to state that IPsec MUST be used or some >>> other approach, say Auth-Option MUST be used. Not sure, if we >>> can leave this blank. >>> >>> Sri >>> >>> >>> _______________________________________________ >>> netlmm mailing list >>> netlmm@ietf.org >>> https://www1.ietf.org/mailman/listinfo/netlmm >>> >> _______________________________________________ >> netlmm mailing list >> netlmm@ietf.org >> https://www1.ietf.org/mailman/listinfo/netlmm > > > _______________________________________________ > netlmm mailing list > netlmm@ietf.org > https://www1.ietf.org/mailman/listinfo/netlmm _______________________________________________ netlmm mailing list netlmm@ietf.org https://www1.ietf.org/mailman/listinfo/netlmm
- [netlmm] (no subject) LAI, SHOU WEN -HCHBJ
- RE: [netlmm] Issue: Auth Option support Alper Yegin
- RE: [netlmm] Issue: Auth Option support Sri Gundavelli
- [netlmm] (no subject) Christian Vogt
- [netlmm] Re: your mail Sri Gundavelli
- [netlmm] Issue: Auth Option support Sri Gundavelli
- RE: [netlmm] Issue: Auth Option support Alper Yegin
- Re: [netlmm] Issue: Auth Option support Christian Vogt
- Re: [netlmm] Issue: Auth Option support Vijay Devarapalli
- RE: [netlmm] Issue: Auth Option support Chowdhury, Kuntal
- RE: [netlmm] Issue: Auth Option support Sri Gundavelli
- Re: [netlmm] Issue: Auth Option support Alexandru Petrescu
- RE: [netlmm] Issue: Auth Option support Alper Yegin
- Re: [netlmm] Issue: Auth Option support Alexandru Petrescu
- Re: [netlmm] Issue: Auth Option support Julien Laganier
- Re: [netlmm] Issue: Auth Option support Alexandru Petrescu
- Re: [netlmm] Issue: Auth Option support Julien Laganier
- Re: [netlmm] Issue: Auth Option support Alexandru Petrescu
- RE: [netlmm] Issue: Auth Option support Sri Gundavelli
- RE: [netlmm] Issue: Auth Option support Narayanan, Vidya
- Re: [netlmm] Issue: Auth Option support Basavaraj Patil
- RE: [netlmm] Issue: Auth Option support Sri Gundavelli
- Re: [netlmm] Issue: Auth Option support Basavaraj Patil
- Re: [netlmm] Issue: Auth Option support Vijay Devarapalli
- RE: [netlmm] Issue: Auth Option support Sri Gundavelli
- RE: [netlmm] Issue: Auth Option support Alper Yegin
- Re: [netlmm] Issue: Auth Option support Julien Laganier
- RE: [netlmm] Issue: Auth Option support Ahmad Muhanna
- RE: [netlmm] Issue: Auth Option support Ahmad Muhanna
- Re: [netlmm] Issue: Auth Option support Vijay Devarapalli
- Re: [netlmm] Issue: Auth Option support Vijay Devarapalli
- Re: [netlmm] Issue: Auth Option support Vijay Devarapalli
- RE: [netlmm] Issue: Auth Option support DE JUAN HUARTE FEDERICO
- RE: [netlmm] Issue: Auth Option support Ahmad Muhanna
- RE: [netlmm] Issue: Auth Option support Alper Yegin
- RE: [netlmm] Issue: Auth Option support Alper Yegin
- Re: [netlmm] Issue: Auth Option support Vijay Devarapalli
- [netlmm] Question on security model DE JUAN HUARTE FEDERICO
- RE: [netlmm] Question on security model Sri Gundavelli
- [netlmm] RE: Question on security model Ahmad Muhanna
- Re: [netlmm] Question on security model Julien Laganier
- RE: [netlmm] Question on security model Alper Yegin
- [netlmm] (no subject) Lynoh MaGee