Re: [netlmm] Issue: Auth Option support
Alexandru Petrescu <alexandru.petrescu@gmail.com> Thu, 06 September 2007 22:05 UTC
Return-path: <netlmm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1ITPTa-0002tw-CE; Thu, 06 Sep 2007 18:05:26 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1ITPTY-0002rP-VY for netlmm@ietf.org; Thu, 06 Sep 2007 18:05:25 -0400
Received: from mail153.messagelabs.com ([216.82.253.51]) by chiedprmail1.ietf.org with smtp (Exim 4.43) id 1ITPTY-0000rK-88 for netlmm@ietf.org; Thu, 06 Sep 2007 18:05:24 -0400
X-VirusChecked: Checked
X-Env-Sender: alexandru.petrescu@gmail.com
X-Msg-Ref: server-10.tower-153.messagelabs.com!1189116322!3746654!1
X-StarScan-Version: 5.5.12.14.2; banners=.,-,-
X-Originating-IP: [129.188.136.8]
Received: (qmail 25613 invoked from network); 6 Sep 2007 22:05:22 -0000
Received: from motgate8.mot.com (HELO motgate8.mot.com) (129.188.136.8) by server-10.tower-153.messagelabs.com with SMTP; 6 Sep 2007 22:05:22 -0000
Received: from il06exr01.mot.com (il06exr01.mot.com [129.188.137.131]) by motgate8.mot.com (8.12.11/Motorola) with ESMTP id l86M5MJt000857; Thu, 6 Sep 2007 15:05:22 -0700 (MST)
Received: from il06vts04.mot.com (il06vts04.mot.com [129.188.137.144]) by il06exr01.mot.com (8.13.5/Vontu) with SMTP id l86M5LLV027960; Thu, 6 Sep 2007 17:05:22 -0500 (CDT)
Received: from [127.0.0.1] ([10.129.42.196]) by il06exr01.mot.com (8.13.5/8.13.0) with ESMTP id l86M5Jef027895; Thu, 6 Sep 2007 17:05:20 -0500 (CDT)
Message-ID: <46E0799E.10207@gmail.com>
Date: Fri, 07 Sep 2007 00:05:18 +0200
From: Alexandru Petrescu <alexandru.petrescu@gmail.com>
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Sri Gundavelli <sgundave@cisco.com>
Subject: Re: [netlmm] Issue: Auth Option support
References: <Pine.GSO.4.63.0708070000100.13701@irp-view13.cisco.com> <0MKp8S-1IIKcu1WNe-0005rE@mrelay.perfora.net> <01e801c7f0c1$80e341c0$d4f6200a@amer.cisco.com>
In-Reply-To: <01e801c7f0c1$80e341c0$d4f6200a@amer.cisco.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Antivirus: avast! (VPS 000773-1, 06/09/2007), Outbound message
X-Antivirus-Status: Clean
X-CFilter-Loop: Reflected
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 093efd19b5f651b2707595638f6c4003
Cc: netlmm@ietf.org
X-BeenThere: netlmm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: NETLMM working group discussion list <netlmm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/netlmm>, <mailto:netlmm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/netlmm>
List-Post: <mailto:netlmm@ietf.org>
List-Help: <mailto:netlmm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/netlmm>, <mailto:netlmm-request@ietf.org?subject=subscribe>
Errors-To: netlmm-bounces@ietf.org
Sri, IMHO, I have several comments on the authopt original support, and I've already posted on the mip6 list, not much follow up yet. authopt draft is currently incompletely specified (eg what happens to Binding Error authentication?). Basically, I would like to not see authopt being a mandatory authentication mechanism for P-MIPv6. At least not yet - it should evolve more. I would personally say that IPsec support for LMA and MAG is understood ok for the moment and could be suggested as a default for the P-MIPv6 spec. (I perfectly understand the deployments need and use AAA, and AAA is performant and should be integrated with MIP6 and P-MIP6 - but it's not yet clear how). IMHO, Alex Sri Gundavelli wrote: > I want some comments on this issue raised by Alper. > > > Also, if I interpret Sec 5.1 [3775], the IPSec is being > mandated, only the use of IPsec ESP is optional. > > -------- > 5.1. Binding Updates to Home Agents > > The mobile node and the home agent MUST use an IPsec security > association to protect the integrity and authenticity of the Binding > Updates and Acknowledgements. Both the mobile nodes and the home > agents MUST support and SHOULD use the Encapsulating Security Payload > (ESP) [6] header in transport mode and MUST use a non-NULL payload > authentication algorithm to provide data origin authentication, > connectionless integrity and optional anti-replay protection. Note > that Authentication Header (AH) [5] is also possible but for brevity > not discussed in this specification. > ------- > > > I'm confused, should the draft say > > "Both LMA and MAG MUST implement IPsec" and > "all the signaling messages SHOULD be protected using IPSec". > > Will this ok, when reviewed by the security folks ? > > or mandate IPsec for this specification and let other draft > relax this in the presence of an alternative approach ? > > Please comment. > > > Sri > > > > > > > > > > >> -----Original Message----- >> From: Alper Yegin [mailto:alper.yegin@yegin.org] >> Sent: Tuesday, August 07, 2007 1:41 AM >> To: 'Sri Gundavelli'; netlmm@ietf.org >> Subject: RE: [netlmm] Issue: Auth Option support >> >>> The issue was related to the use of MUST clause in specifying >>> the IPSec requirement for Proxy Mobile IPv6 protocol. Alper >>> was suggesting that we relax that requirement and potentially >>> leave a room for Auth Option support in future. >> Actually, I didn't mean it specifically for Auth Option. It >> can be anything. >> Given that the security is handled by a separate protocol, >> why lock it down >> to "IPsec", when some other protocol (Auth Option being one >> example) cannot >> be used. >> >>> But, as most people agreed and as supported by Jari, this can >> My understanding was the opposite, especially about Jari's statement. >> >>> always be changed in future when the support for new security >>> mechanisms such as Auth Option are defined for Proxy Mobile IPv6 >>> and that specific document can always modify this requirement. >>> So, no changes will be made to the document on this issue. >> What if Auth Option is good enough as written? >> What if a document in another SDO defines the alternative security >> mechanism? >> >> For the type of interop we are seeking in IETF, "MUST >> implement" is good >> enough. "MUST use" is not necessary. >> >> Alper >> >> >> >> >> >>> >>> Regards >>> Sri >>> >>> _______________________________________________ >>> netlmm mailing list >>> netlmm@ietf.org >>> https://www1.ietf.org/mailman/listinfo/netlmm > > _______________________________________________ > netlmm mailing list > netlmm@ietf.org > https://www1.ietf.org/mailman/listinfo/netlmm > ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ _______________________________________________ netlmm mailing list netlmm@ietf.org https://www1.ietf.org/mailman/listinfo/netlmm
- [netlmm] (no subject) LAI, SHOU WEN -HCHBJ
- RE: [netlmm] Issue: Auth Option support Alper Yegin
- RE: [netlmm] Issue: Auth Option support Sri Gundavelli
- [netlmm] (no subject) Christian Vogt
- [netlmm] Re: your mail Sri Gundavelli
- [netlmm] Issue: Auth Option support Sri Gundavelli
- RE: [netlmm] Issue: Auth Option support Alper Yegin
- Re: [netlmm] Issue: Auth Option support Christian Vogt
- Re: [netlmm] Issue: Auth Option support Vijay Devarapalli
- RE: [netlmm] Issue: Auth Option support Chowdhury, Kuntal
- RE: [netlmm] Issue: Auth Option support Sri Gundavelli
- Re: [netlmm] Issue: Auth Option support Alexandru Petrescu
- RE: [netlmm] Issue: Auth Option support Alper Yegin
- Re: [netlmm] Issue: Auth Option support Alexandru Petrescu
- Re: [netlmm] Issue: Auth Option support Julien Laganier
- Re: [netlmm] Issue: Auth Option support Alexandru Petrescu
- Re: [netlmm] Issue: Auth Option support Julien Laganier
- Re: [netlmm] Issue: Auth Option support Alexandru Petrescu
- RE: [netlmm] Issue: Auth Option support Sri Gundavelli
- RE: [netlmm] Issue: Auth Option support Narayanan, Vidya
- Re: [netlmm] Issue: Auth Option support Basavaraj Patil
- RE: [netlmm] Issue: Auth Option support Sri Gundavelli
- Re: [netlmm] Issue: Auth Option support Basavaraj Patil
- Re: [netlmm] Issue: Auth Option support Vijay Devarapalli
- RE: [netlmm] Issue: Auth Option support Sri Gundavelli
- RE: [netlmm] Issue: Auth Option support Alper Yegin
- Re: [netlmm] Issue: Auth Option support Julien Laganier
- RE: [netlmm] Issue: Auth Option support Ahmad Muhanna
- RE: [netlmm] Issue: Auth Option support Ahmad Muhanna
- Re: [netlmm] Issue: Auth Option support Vijay Devarapalli
- Re: [netlmm] Issue: Auth Option support Vijay Devarapalli
- Re: [netlmm] Issue: Auth Option support Vijay Devarapalli
- RE: [netlmm] Issue: Auth Option support DE JUAN HUARTE FEDERICO
- RE: [netlmm] Issue: Auth Option support Ahmad Muhanna
- RE: [netlmm] Issue: Auth Option support Alper Yegin
- RE: [netlmm] Issue: Auth Option support Alper Yegin
- Re: [netlmm] Issue: Auth Option support Vijay Devarapalli
- [netlmm] Question on security model DE JUAN HUARTE FEDERICO
- RE: [netlmm] Question on security model Sri Gundavelli
- [netlmm] RE: Question on security model Ahmad Muhanna
- Re: [netlmm] Question on security model Julien Laganier
- RE: [netlmm] Question on security model Alper Yegin
- [netlmm] (no subject) Lynoh MaGee