RE: [netlmm] Issue: Auth Option support
"Chowdhury, Kuntal" <kchowdhury@starentnetworks.com> Fri, 07 September 2007 22:02 UTC
Return-path: <netlmm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1ITlu2-0001wl-6e; Fri, 07 Sep 2007 18:02:14 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1ITlu1-0001wd-Bt for netlmm@ietf.org; Fri, 07 Sep 2007 18:02:13 -0400
Received: from mx0.starentnetworks.com ([12.38.223.203]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1ITlu0-0001i6-NX for netlmm@ietf.org; Fri, 07 Sep 2007 18:02:13 -0400
Received: from localhost (localhost.localdomain [127.0.0.1]) by mx0.starentnetworks.com (Postfix) with ESMTP id 218A798027 for <netlmm@ietf.org>; Fri, 7 Sep 2007 18:02:09 -0400 (EDT)
Received: from mx0.starentnetworks.com ([127.0.0.1]) by localhost (mx0.starentnetworks.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 27425-03 for <netlmm@ietf.org>; Fri, 7 Sep 2007 18:02:07 -0400 (EDT)
Received: from exchtewks1.starentnetworks.com (exchtewks1.starentnetworks.com [10.2.4.28]) by mx0.starentnetworks.com (Postfix) with ESMTP for <netlmm@ietf.org>; Fri, 7 Sep 2007 18:02:07 -0400 (EDT)
Received: from exchtewks2.starentnetworks.com ([10.2.4.27]) by exchtewks1.starentnetworks.com with Microsoft SMTPSVC(6.0.3790.1830); Fri, 7 Sep 2007 18:02:47 -0400
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [netlmm] Issue: Auth Option support
Date: Fri, 07 Sep 2007 18:01:32 -0400
Message-ID: <7CCD07160348804497EF29E9EA5560D7024DA53C@exchtewks2.starentnetworks.com>
In-Reply-To: <C307330D.42924%basavaraj.patil@nsn.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [netlmm] Issue: Auth Option support
Thread-Index: AcfxSsGFlDvDz/RAQJWYV4inKIWpywAJhYcQAAi0xVIAAPT7EAAAlZrfAAAtWLA=
From: "Chowdhury, Kuntal" <kchowdhury@starentnetworks.com>
To: Basavaraj Patil <basavaraj.patil@nsn.com>, Sri Gundavelli <sgundave@cisco.com>, Julien Laganier <julien.IETF@laposte.net>, netlmm@ietf.org
X-OriginalArrivalTime: 07 Sep 2007 22:02:47.0398 (UTC) FILETIME=[D3339860:01C7F19A]
X-Virus-Scanned: amavisd-new 2.2.1 (20041222) at mx0.starentnetworks.com
X-Spam-Score: 0.0 (/)
X-Scan-Signature: f49c97ce49302a02285a2d36a99eef8c
Cc:
X-BeenThere: netlmm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: NETLMM working group discussion list <netlmm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/netlmm>, <mailto:netlmm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/netlmm>
List-Post: <mailto:netlmm@ietf.org>
List-Help: <mailto:netlmm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/netlmm>, <mailto:netlmm-request@ietf.org?subject=subscribe>
Errors-To: netlmm-bounces@ietf.org
I agree. MUST implement is fine. MUST use is too much, IMO. -Kuntal > -----Original Message----- > From: Basavaraj Patil [mailto:basavaraj.patil@nsn.com] > Sent: Friday, September 07, 2007 4:56 PM > To: Sri Gundavelli; 'Julien Laganier'; netlmm@ietf.org > Subject: Re: [netlmm] Issue: Auth Option support > > > To ensure there is interoperability between multiple implementations, > there > needs to be a default security mechanism and that would be IPsec. What > specific method is used in a certain deployment is not mandated by the > spec. > > So I think we can just leave it as a MUST for IPsec as the default > security > solution without saying MUST use. > > -Raj > > > On 9/7/07 4:42 PM, "ext Sri Gundavelli" <sgundave@cisco.com> wrote: > > > Raj, > > > > This is my view as well. Now, this will conflict with > > "MUST implement and SHOULD use of IPsec". To be consistent, > > it has to be "MUST implement and MUST use". Then Alper wont > > like this... > > > > > > Sri > > > > > >> -----Original Message----- > >> From: Basavaraj Patil [mailto:basavaraj.patil@nsn.com] > >> Sent: Friday, September 07, 2007 2:12 PM > >> To: Sri Gundavelli; 'Julien Laganier'; netlmm@ietf.org > >> Subject: Re: [netlmm] Issue: Auth Option support > >> > >> > >> Hi Sri, > >> > >> I do believe we need to specify a default security mechanism > >> for the MAG/LMA > >> signaling messages. And for this purpose, IPsec is a good choice. > >> So IMO it is required that we state "Proxy MIP6 signaling > >> messages between > >> the MAG and LMA MUST be secured by the use of an IPsec SA > >> between the two > >> entities". > >> > >> I think this does not limit the ability to adopt alternative security > >> solutions in the future. > >> > >> -Raj > >> > >> > >> On 9/7/07 12:10 PM, "ext Sri Gundavelli" <sgundave@cisco.com> wrote: > >> > >>> Hi Julien, > >>> > >>> > >>> > >>>> -----Original Message----- > >>>> From: julien laganier [mailto:julien.laganier@gmail.com] On > >>>> Behalf Of Julien Laganier > >>>> Sent: Friday, September 07, 2007 5:29 AM > >>>> To: netlmm@ietf.org > >>>> Cc: Sri Gundavelli; 'Alper Yegin' > >>>> Subject: Re: [netlmm] Issue: Auth Option support > >>>> > >>>> Hi Sri, > >>>> > >>>> On Thursday 06 September 2007, Sri Gundavelli wrote: > >>>>> I'm confused, should the draft say > >>>>> > >>>>> "Both LMA and MAG MUST implement IPsec" and > >>>>> "all the signaling messages SHOULD be protected using IPSec". > >>>>> > >>>>> Will this ok, when reviewed by the security folks ? > >>>>> > >>>>> or mandate IPsec for this specification and let other draft > >>>>> relax this in the presence of an alternative approach ? > >>>>> > >>>>> Please comment. > >>>> > >>>> Somehow, "MUST implement" and "SHOULD use" together seems a bit > >>>> tautologic. > >>>> > >>>> To me "SHOULD use" is sufficient since it covers both of the two > >>>> possibles cases: > >>>> > >>>> - deployment follows the SHOULD recommendation, it uses IPsec > >>>> to protect > >>>> PMIPv6, in which case it supports it, since it's using it :), or > >>>> > >>>> - deployment ignores the SHOULD recommendation, does not uses > >>>> IPSec, in > >>>> which case it is useless to implement it since it's not used... > >>>> > >>>> I'd prefer having "MUST protect integrity of signalling > >> messages, and > >>>> SHOULD use IPsec ESP to protect integrity of those messages". > >>>> We might > >>>> also add "MAY use IPsec AH". > >>>> > >>> > >>> > >>> I agree. I'm not against allowing other approaches. I'm > >> only concerned, > >>> if we can leave the draft saying, "MUST protect integrity > >> of signalling > >>> messages", with out specifying IPsec or some other approach. If that > >>> will pass the security review. We may have to state that > >> IPsec MUST be > >>> used or some other approach, say Auth-Option MUST be used. > >> Not sure, if > >>> we can leave this blank. > >>> > >>> Sri > >>> > >>> > >>> _______________________________________________ > >>> netlmm mailing list > >>> netlmm@ietf.org > >>> https://www1.ietf.org/mailman/listinfo/netlmm > > > _______________________________________________ > netlmm mailing list > netlmm@ietf.org > https://www1.ietf.org/mailman/listinfo/netlmm _______________________________________________ netlmm mailing list netlmm@ietf.org https://www1.ietf.org/mailman/listinfo/netlmm
- [netlmm] (no subject) LAI, SHOU WEN -HCHBJ
- RE: [netlmm] Issue: Auth Option support Alper Yegin
- RE: [netlmm] Issue: Auth Option support Sri Gundavelli
- [netlmm] (no subject) Christian Vogt
- [netlmm] Re: your mail Sri Gundavelli
- [netlmm] Issue: Auth Option support Sri Gundavelli
- RE: [netlmm] Issue: Auth Option support Alper Yegin
- Re: [netlmm] Issue: Auth Option support Christian Vogt
- Re: [netlmm] Issue: Auth Option support Vijay Devarapalli
- RE: [netlmm] Issue: Auth Option support Chowdhury, Kuntal
- RE: [netlmm] Issue: Auth Option support Sri Gundavelli
- Re: [netlmm] Issue: Auth Option support Alexandru Petrescu
- RE: [netlmm] Issue: Auth Option support Alper Yegin
- Re: [netlmm] Issue: Auth Option support Alexandru Petrescu
- Re: [netlmm] Issue: Auth Option support Julien Laganier
- Re: [netlmm] Issue: Auth Option support Alexandru Petrescu
- Re: [netlmm] Issue: Auth Option support Julien Laganier
- Re: [netlmm] Issue: Auth Option support Alexandru Petrescu
- RE: [netlmm] Issue: Auth Option support Sri Gundavelli
- RE: [netlmm] Issue: Auth Option support Narayanan, Vidya
- Re: [netlmm] Issue: Auth Option support Basavaraj Patil
- RE: [netlmm] Issue: Auth Option support Sri Gundavelli
- Re: [netlmm] Issue: Auth Option support Basavaraj Patil
- Re: [netlmm] Issue: Auth Option support Vijay Devarapalli
- RE: [netlmm] Issue: Auth Option support Sri Gundavelli
- RE: [netlmm] Issue: Auth Option support Alper Yegin
- Re: [netlmm] Issue: Auth Option support Julien Laganier
- RE: [netlmm] Issue: Auth Option support Ahmad Muhanna
- RE: [netlmm] Issue: Auth Option support Ahmad Muhanna
- Re: [netlmm] Issue: Auth Option support Vijay Devarapalli
- Re: [netlmm] Issue: Auth Option support Vijay Devarapalli
- Re: [netlmm] Issue: Auth Option support Vijay Devarapalli
- RE: [netlmm] Issue: Auth Option support DE JUAN HUARTE FEDERICO
- RE: [netlmm] Issue: Auth Option support Ahmad Muhanna
- RE: [netlmm] Issue: Auth Option support Alper Yegin
- RE: [netlmm] Issue: Auth Option support Alper Yegin
- Re: [netlmm] Issue: Auth Option support Vijay Devarapalli
- [netlmm] Question on security model DE JUAN HUARTE FEDERICO
- RE: [netlmm] Question on security model Sri Gundavelli
- [netlmm] RE: Question on security model Ahmad Muhanna
- Re: [netlmm] Question on security model Julien Laganier
- RE: [netlmm] Question on security model Alper Yegin
- [netlmm] (no subject) Lynoh MaGee