RE: [netlmm] Issue: Auth Option support

["Alper Yegin" <alper.yegin@yegin.org>]

> Alper Yegin wrote:
> > Vijay,
> >
> > Where did you get that idea ("SHOULD" is not useful for achieving
> > interoperability) from? Definitely not in RFC 2129.
> 
> Why were you looking in 2129? :)

Nevertheless I was right that SHOULD is not defined the way you described in
"RFC2129" :-)

Kidding aside, you are right I had a typo. It should be RFC 2119. That's
where SHOULD is defined as I quoted.

Alper



> 
> As I said earlier when you want to ensure interoperability, you
> typically use a "MUST". "SHOULD" means there is a probably that it is
> not implemented and you don't have an interoperable implementation.
> 
> Vijay
> 
> >
> > 	1. MUST   This word, or the terms "REQUIRED" or "SHALL", mean that
> > the
> > 	   definition is an absolute requirement of the specification.
> >
> > 	3. SHOULD   This word, or the adjective "RECOMMENDED", mean that
> > there
> > 	   may exist valid reasons in particular circumstances to ignore a
> > 	   particular item, but the full implications must be understood and
> > 	   carefully weighed before choosing a different course.
> >
> >
> > Alper
> >
> >> -----Original Message-----
> >> From: Vijay Devarapalli [mailto:vijay.devarapalli@azairenet.com]
> >> Sent: Monday, September 10, 2007 6:17 PM
> >> To: Alper Yegin
> >> Cc: 'Narayanan, Vidya'; 'Sri Gundavelli'; 'Julien Laganier';
> >> netlmm@ietf.org
> >> Subject: Re: [netlmm] Issue: Auth Option support
> >>
> >> Alper,
> >>
> >> When we need to ensure interoperability, we use "MUST" and not
> "SHOULD".
> >>
> >> Vijay
> >>
> >> Alper Yegin wrote:
> >>> For interop "SHOULD implement and use", or even "SHOULD use" (like
> >> Julien
> >>> explained) is fine. "SHOULD" means "you better know what you are doing
> >> if
> >>> you don't follow", and that's exactly the case.
> >>>
> >>> If both ends are using some other mechanism and they know what each
> >> other
> >>> supports, they should not have to worry about (and implement) the
> >> mechanism
> >>> in the base spec. This is what SHOULD is for.
> >>>
> >>> Alper
> >>>
> >>>
> >>>> -----Original Message-----
> >>>> From: Narayanan, Vidya [mailto:vidyan@qualcomm.com]
> >>>> Sent: Friday, September 07, 2007 10:27 PM
> >>>> To: Sri Gundavelli; Julien Laganier; netlmm@ietf.org
> >>>> Subject: RE: [netlmm] Issue: Auth Option support
> >>>>
> >>>> All,
> >>>> On this topic, I believe we must have a mandatory to implement
> >> mechanism
> >>>> specified for standards track publication.  We can leave the use at
> >>>> "RECOMMENDED" or "SHOULD", but, we need a "MUST" on what the LMA and
> >> MAG
> >>>> need to implement.
> >>>>
> >>>> I had run this by the security directorate at the Chicago meeting and
> >> my
> >>>> understanding is that as long as we have "MUST implement IPsec" and
> >>>> "SHOULD use IPsec", it would be fine.
> >>>>
> >>>> In other words, the SHOULD vs. MUST that we want to place on using
> >> IPsec
> >>>> can be discussed, but, the "MUST" on implementation is non-
> negotiable.
> >>>>
> >>>> This is inline with my understanding on what we need to state for a
> >>>> complete specification.  Given that channel security of signaling
> >>>> messages is mandatory, unless we have at least one common denominator
> >>>> that the MAG and LMA implementors will implement, we cannot ensure
> >>>> interoperability.  If they support multiple common mechanisms and
> chose
> >>>> to use something other than IPsec, that's fine - hence, the "SHOULD"
> on
> >>>> usage.
> >>>>
> >>>> Hope that helps.
> >>>>
> >>>> Thanks,
> >>>> Vidya
> >>>>
> >>>>> -----Original Message-----
> >>>>> From: Sri Gundavelli [mailto:sgundave@cisco.com]
> >>>>> Sent: Friday, September 07, 2007 10:10 AM
> >>>>> To: 'Julien Laganier'; netlmm@ietf.org
> >>>>> Subject: RE: [netlmm] Issue: Auth Option support
> >>>>>
> >>>>> Hi Julien,
> >>>>>
> >>>>>
> >>>>>
> >>>>>> -----Original Message-----
> >>>>>> From: julien laganier [mailto:julien.laganier@gmail.com] On
> >>>>> Behalf Of
> >>>>>> Julien Laganier
> >>>>>> Sent: Friday, September 07, 2007 5:29 AM
> >>>>>> To: netlmm@ietf.org
> >>>>>> Cc: Sri Gundavelli; 'Alper Yegin'
> >>>>>> Subject: Re: [netlmm] Issue: Auth Option support
> >>>>>>
> >>>>>> Hi Sri,
> >>>>>>
> >>>>>> On Thursday 06 September 2007, Sri Gundavelli wrote:
> >>>>>>> I'm confused, should the draft say
> >>>>>>>
> >>>>>>> "Both LMA and MAG MUST implement IPsec" and "all the signaling
> >>>>>>> messages SHOULD be protected using IPSec".
> >>>>>>>
> >>>>>>> Will this ok, when reviewed by the security folks ?
> >>>>>>>
> >>>>>>> or mandate IPsec for this specification and let other draft relax
> >>>>>>> this in the presence of an alternative approach ?
> >>>>>>>
> >>>>>>> Please comment.
> >>>>>> Somehow, "MUST implement" and "SHOULD use" together seems a bit
> >>>>>> tautologic.
> >>>>>>
> >>>>>> To me "SHOULD use" is sufficient since it covers both of the two
> >>>>>> possibles cases:
> >>>>>>
> >>>>>> - deployment follows the SHOULD recommendation, it uses IPsec to
> >>>>>> protect PMIPv6, in which case it supports it, since it's
> >>>>> using it :),
> >>>>>> or
> >>>>>>
> >>>>>> - deployment ignores the SHOULD recommendation, does not
> >>>>> uses IPSec,
> >>>>>> in which case it is useless to implement it since it's not used...
> >>>>>>
> >>>>>> I'd prefer having "MUST protect integrity of signalling
> >>>>> messages, and
> >>>>>> SHOULD use IPsec ESP to protect integrity of those messages".
> >>>>>> We might
> >>>>>> also add "MAY use IPsec AH".
> >>>>>>
> >>>>> I agree. I'm not against allowing other approaches. I'm only
> >>>>> concerned, if we can leave the draft saying, "MUST protect
> >>>>> integrity of signalling messages", with out specifying IPsec
> >>>>> or some other approach. If that will pass the security
> >>>>> review. We may have to state that IPsec MUST be used or some
> >>>>> other approach, say Auth-Option MUST be used. Not sure, if we
> >>>>> can leave this blank.
> >>>>>
> >>>>> Sri
> >>>>>
> >>>>>
> >>>>> _______________________________________________
> >>>>> netlmm mailing list
> >>>>> netlmm@ietf.org
> >>>>> https://www1.ietf.org/mailman/listinfo/netlmm
> >>>>>
> >>>> _______________________________________________
> >>>> netlmm mailing list
> >>>> netlmm@ietf.org
> >>>> https://www1.ietf.org/mailman/listinfo/netlmm
> >>>
> >>> _______________________________________________
> >>> netlmm mailing list
> >>> netlmm@ietf.org
> >>> https://www1.ietf.org/mailman/listinfo/netlmm
> >
> >



_______________________________________________
netlmm mailing list
netlmm@ietf.org
https://www1.ietf.org/mailman/listinfo/netlmm