IETF Logo Mail Archive

RE: [netlmm] Issue: Auth Option support

"Alper Yegin" <alper.yegin@yegin.org> Thu, 06 September 2007 22:38 UTC

Return-path: <netlmm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1ITPzS-00031V-M6; Thu, 06 Sep 2007 18:38:22 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1ITPzR-00030s-QV for netlmm@ietf.org; Thu, 06 Sep 2007 18:38:21 -0400
Received: from mout.perfora.net ([74.208.4.194]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1ITPzR-0002Fs-3b for netlmm@ietf.org; Thu, 06 Sep 2007 18:38:21 -0400
Received: from [88.233.214.210] (helo=IBM52A5038A94F) by mrelay.perfora.net (node=mrus0) with ESMTP (Nemesis), id 0MKp8S-1ITPzK2Wsh-0008S4; Thu, 06 Sep 2007 18:38:19 -0400
From: Alper Yegin <alper.yegin@yegin.org>
To: 'Alexandru Petrescu' <alexandru.petrescu@gmail.com>, 'Sri Gundavelli' <sgundave@cisco.com>
Subject: RE: [netlmm] Issue: Auth Option support
Date: Fri, 07 Sep 2007 01:38:08 +0300
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
Thread-Index: Acfw0gYhSyWULcrwRxu6tOJj3HIQ1wAA7ZDg
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
In-Reply-To: <46E0799E.10207@gmail.com>
Message-Id: <0MKp8S-1ITPzK2Wsh-0008S4@mrelay.perfora.net>
X-Provags-ID: V01U2FsdGVkX1/yRSHAF9GwEGIjHSamIaBm8Oemogb7Rel3UUK cL/dOyfnO4nJLcCyNd5YK8BNs17o6sXDpUAWPwrWHRPdSgYt1q ZirgMwgCCGNn66V3Jka6w==
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 3971661e40967acfc35f708dd5f33760
Cc: netlmm@ietf.org
X-BeenThere: netlmm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: NETLMM working group discussion list <netlmm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/netlmm>, <mailto:netlmm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/netlmm>
List-Post: <mailto:netlmm@ietf.org>
List-Help: <mailto:netlmm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/netlmm>, <mailto:netlmm-request@ietf.org?subject=subscribe>
Errors-To: netlmm-bounces@ietf.org

Hi Alex, Sri,

- The highlight of my suggestion is not to mandate auth option, but to
simply relax the current language that states "must use IPsec". 

- Auth option is an example of another security mechanism that we shall not
prevent from being used.

- "default" does not mean much. We shall speak in terms of "must/should/may
implement", and "must/should/may use."

- Leaving that to other specs, and the "must use IPsec" language in RFC 3775
despite RFC4285 do not make sense to me.

My recommendation is to state "should implement IPsec, may use IPsec" in the
PMIP6 spec.

Alper
 

> -----Original Message-----
> From: Alexandru Petrescu [mailto:alexandru.petrescu@gmail.com]
> Sent: Friday, September 07, 2007 1:05 AM
> To: Sri Gundavelli
> Cc: 'Alper Yegin'; netlmm@ietf.org
> Subject: Re: [netlmm] Issue: Auth Option support
> 
> Sri, IMHO, I have several comments on the authopt original support, and
> I've already posted on the mip6 list, not much follow up yet.  authopt
> draft is currently incompletely specified (eg what happens to Binding
> Error authentication?).
> 
> Basically, I would like to not see authopt being a mandatory
> authentication mechanism for P-MIPv6.  At least not yet - it should
> evolve more.
> 
> I would personally say that IPsec support for LMA and MAG is understood
> ok for the moment and could be suggested as a default for the P-MIPv6
> spec.
> 
> (I perfectly understand the deployments need and use AAA, and AAA is
>   performant and should be integrated with MIP6 and P-MIP6 - but it's not
>   yet clear how).
> 
> IMHO,
> 
> Alex
> 
> Sri Gundavelli wrote:
> > I want some comments on this issue raised by Alper.
> >
> >
> > Also, if I interpret Sec 5.1 [3775], the IPSec is being
> > mandated, only the use of IPsec ESP is optional.
> >
> > --------
> > 5.1.  Binding Updates to Home Agents
> >
> >    The mobile node and the home agent MUST use an IPsec security
> >    association to protect the integrity and authenticity of the Binding
> >    Updates and Acknowledgements.  Both the mobile nodes and the home
> >    agents MUST support and SHOULD use the Encapsulating Security Payload
> >    (ESP) [6] header in transport mode and MUST use a non-NULL payload
> >    authentication algorithm to provide data origin authentication,
> >    connectionless integrity and optional anti-replay protection.  Note
> >    that Authentication Header (AH) [5] is also possible but for brevity
> >    not discussed in this specification.
> > -------
> >
> >
> > I'm confused, should the draft say
> >
> > "Both LMA and MAG MUST implement IPsec" and
> > "all the signaling messages SHOULD be protected using IPSec".
> >
> > Will this ok, when reviewed by the security folks ?
> >
> > or mandate IPsec for this specification and let other draft
> > relax this in the presence of an alternative approach ?
> >
> > Please comment.
> >
> >
> > Sri
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >> -----Original Message-----
> >> From: Alper Yegin [mailto:alper.yegin@yegin.org]
> >> Sent: Tuesday, August 07, 2007 1:41 AM
> >> To: 'Sri Gundavelli'; netlmm@ietf.org
> >> Subject: RE: [netlmm] Issue: Auth Option support
> >>
> >>> The issue was related to the use of MUST clause in specifying
> >>> the IPSec requirement for Proxy Mobile IPv6 protocol. Alper
> >>> was suggesting that we relax that requirement and potentially
> >>> leave a room for Auth Option support in future.
> >> Actually, I didn't mean it specifically for Auth Option. It
> >> can be anything.
> >> Given that the security is handled by a separate protocol,
> >> why lock it down
> >> to "IPsec", when some other protocol (Auth Option being one
> >> example) cannot
> >> be used.
> >>
> >>> But, as most people agreed and as supported by Jari, this can
> >> My understanding was the opposite, especially about Jari's statement.
> >>
> >>> always be changed in future when the support for new security
> >>> mechanisms such as Auth Option are defined for Proxy Mobile IPv6
> >>> and that specific document can always modify this requirement.
> >>> So, no changes will be made to the document on this issue.
> >> What if Auth Option is good enough as written?
> >> What if a document in another SDO defines the alternative security
> >> mechanism?
> >>
> >> For the type of interop we are seeking in IETF, "MUST
> >> implement" is good
> >> enough. "MUST use" is not necessary.
> >>
> >> Alper
> >>
> >>
> >>
> >>
> >>
> >>>
> >>> Regards
> >>> Sri
> >>>
> >>> _______________________________________________
> >>> netlmm mailing list
> >>> netlmm@ietf.org
> >>> https://www1.ietf.org/mailman/listinfo/netlmm
> >
> > _______________________________________________
> > netlmm mailing list
> > netlmm@ietf.org
> > https://www1.ietf.org/mailman/listinfo/netlmm
> >
> 
> 
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________


_______________________________________________
netlmm mailing list
netlmm@ietf.org
https://www1.ietf.org/mailman/listinfo/netlmm

v2.23.0 | Report a Bug | By Email