IETF Logo Mail Archive

Re: [netlmm] Issue: Auth Option support

Julien Laganier <julien.IETF@laposte.net> Mon, 10 September 2007 09:28 UTC

Return-path: <netlmm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IUfZ5-0001K3-AU; Mon, 10 Sep 2007 05:28:19 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IUfZ4-0001Jy-Mz for netlmm@ietf.org; Mon, 10 Sep 2007 05:28:18 -0400
Received: from ug-out-1314.google.com ([66.249.92.168]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IUfZ3-0007Ab-Fw for netlmm@ietf.org; Mon, 10 Sep 2007 05:28:18 -0400
Received: by ug-out-1314.google.com with SMTP id u2so1439494uge for <netlmm@ietf.org>; Mon, 10 Sep 2007 02:28:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:from:to:subject:date:user-agent:cc:references:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:message-id:sender; bh=PCBmhfvDf066lSjJzuEY4MNdWBmvIQBUxlGl2y057Y4=; b=lY5svSfSFLOodxhTSQkmVS8EhTLfd1GNTL2MBT0o70F5/XBOXfrZzvQkCZ65zT0ualrnGE7VOHL7CzHXocf9WmQcRaeZuc4S2Xo34VDRpGC+EAg5D9Vmmpzj10ZLdaNukfLx12VO/ZM2kruSfN3LSQM6YTNyZoVx68fIPgJYbBY=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:from:to:subject:date:user-agent:cc:references:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:message-id:sender; b=eXNFpl2V1ha8xBITrfM6G35XWKcrPMJ5jTKKdtecv5MW8zbeN+MnbLLQcVbpDbUUU0Ps6FK/WEiDhekYueVgswngBz1L8OdKcOdf2G+8iSnEXRk+By7qrgAWhzdlFTf2cKEnRB2uRalwoD/us97G8p/ywW2unne4wBmzfw++LUQ=
Received: by 10.67.32.13 with SMTP id k13mr4517598ugj.1189416496486; Mon, 10 Sep 2007 02:28:16 -0700 (PDT)
Received: from klee.local ( [212.119.9.178]) by mx.google.com with ESMTPS id e34sm9114686ugd.2007.09.10.02.28.13 (version=SSLv3 cipher=OTHER); Mon, 10 Sep 2007 02:28:14 -0700 (PDT)
From: Julien Laganier <julien.IETF@laposte.net>
To: netlmm@ietf.org
Subject: Re: [netlmm] Issue: Auth Option support
Date: Mon, 10 Sep 2007 11:28:08 +0200
User-Agent: KMail/1.9.6
References: <Pine.GSO.4.63.0708070000100.13701@irp-view13.cisco.com> <01e801c7f0c1$80e341c0$d4f6200a@amer.cisco.com> <46E4B02C.5010101@azairenet.com>
In-Reply-To: <46E4B02C.5010101@azairenet.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-15"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200709101128.08546.julien.IETF@laposte.net>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 769a46790fb42fbb0b0cc700c82f7081
Cc:
X-BeenThere: netlmm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: NETLMM working group discussion list <netlmm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/netlmm>, <mailto:netlmm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/netlmm>
List-Post: <mailto:netlmm@ietf.org>
List-Help: <mailto:netlmm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/netlmm>, <mailto:netlmm-request@ietf.org?subject=subscribe>
Errors-To: netlmm-bounces@ietf.org

Hi Vijay,

One comment below,

On Monday 10 September 2007, Vijay Devarapalli wrote:
> Sri,
>
> I agree with "SHOULD" for using IPsec and "MUST" for supporting IPsec
> on the MAG and the LMA.
>
> If thats the consensus, we need to modify a few sentences in the
> draft.
>
> In section 4, replace
>
> >    The signaling messages, Proxy Binding Update and Proxy Binding
> >    Acknowledgement, exchanged between the mobile access gateway and
> > the local mobility anchor MUST be protected using IPsec [RFC-4301]
> > and using the established security association between them.  The
> > security association of the specific mobile node for which the
> > signaling message is initiated is not required for protecting these
> > messages.
>
> with
>
>     The signaling messages, Proxy Binding Update and Proxy Binding
>     Acknowledgement, exchanged between the mobile access gateway and
> the local mobility anchor MUST be protected using security
> associations established between them. The security association of
> the specific mobile node for which the signaling message is initiated
> is not required for protecting these messages.
>
> We need the MUST above since we have to say that the proxy BU and
> proxy BAck must be protected, irrespective of whether IPsec or some
> other mechanism is used.

I understand you want to say that integrity and data origin 
authentication are MUST's. I'm thus suggesting a minor change to your 
text above (rest is fine with me):

      The Proxy Binding Update and Proxy Binding Acknowledgement
      signaling messages exchanged between the MAG and LMA MUST be
      protected using end-to-end security association(s) offering
      integrity and data origin authentication. A security association
      with the mobile node for which the signaling message is issued is
      not required for protection of these messages.

--julien

_______________________________________________
netlmm mailing list
netlmm@ietf.org
https://www1.ietf.org/mailman/listinfo/netlmm

v2.23.0 | Report a Bug | By Email