IETF Logo Mail Archive

RE: [netlmm] Issue: Auth Option support

"Chowdhury, Kuntal" <kchowdhury@starentnetworks.com> Fri, 07 September 2007 22:02 UTC

Return-path: <netlmm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1ITlu2-0001wl-6e; Fri, 07 Sep 2007 18:02:14 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1ITlu1-0001wd-Bt for netlmm@ietf.org; Fri, 07 Sep 2007 18:02:13 -0400
Received: from mx0.starentnetworks.com ([12.38.223.203]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1ITlu0-0001i6-NX for netlmm@ietf.org; Fri, 07 Sep 2007 18:02:13 -0400
Received: from localhost (localhost.localdomain [127.0.0.1]) by mx0.starentnetworks.com (Postfix) with ESMTP id 218A798027 for <netlmm@ietf.org>; Fri, 7 Sep 2007 18:02:09 -0400 (EDT)
Received: from mx0.starentnetworks.com ([127.0.0.1]) by localhost (mx0.starentnetworks.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 27425-03 for <netlmm@ietf.org>; Fri, 7 Sep 2007 18:02:07 -0400 (EDT)
Received: from exchtewks1.starentnetworks.com (exchtewks1.starentnetworks.com [10.2.4.28]) by mx0.starentnetworks.com (Postfix) with ESMTP for <netlmm@ietf.org>; Fri, 7 Sep 2007 18:02:07 -0400 (EDT)
Received: from exchtewks2.starentnetworks.com ([10.2.4.27]) by exchtewks1.starentnetworks.com with Microsoft SMTPSVC(6.0.3790.1830); Fri, 7 Sep 2007 18:02:47 -0400
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [netlmm] Issue: Auth Option support
Date: Fri, 07 Sep 2007 18:01:32 -0400
Message-ID: <7CCD07160348804497EF29E9EA5560D7024DA53C@exchtewks2.starentnetworks.com>
In-Reply-To: <C307330D.42924%basavaraj.patil@nsn.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [netlmm] Issue: Auth Option support
Thread-Index: AcfxSsGFlDvDz/RAQJWYV4inKIWpywAJhYcQAAi0xVIAAPT7EAAAlZrfAAAtWLA=
From: "Chowdhury, Kuntal" <kchowdhury@starentnetworks.com>
To: Basavaraj Patil <basavaraj.patil@nsn.com>, Sri Gundavelli <sgundave@cisco.com>, Julien Laganier <julien.IETF@laposte.net>, netlmm@ietf.org
X-OriginalArrivalTime: 07 Sep 2007 22:02:47.0398 (UTC) FILETIME=[D3339860:01C7F19A]
X-Virus-Scanned: amavisd-new 2.2.1 (20041222) at mx0.starentnetworks.com
X-Spam-Score: 0.0 (/)
X-Scan-Signature: f49c97ce49302a02285a2d36a99eef8c
Cc:
X-BeenThere: netlmm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: NETLMM working group discussion list <netlmm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/netlmm>, <mailto:netlmm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/netlmm>
List-Post: <mailto:netlmm@ietf.org>
List-Help: <mailto:netlmm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/netlmm>, <mailto:netlmm-request@ietf.org?subject=subscribe>
Errors-To: netlmm-bounces@ietf.org

I agree. MUST implement is fine. MUST use is too much, IMO.

-Kuntal


> -----Original Message-----
> From: Basavaraj Patil [mailto:basavaraj.patil@nsn.com]
> Sent: Friday, September 07, 2007 4:56 PM
> To: Sri Gundavelli; 'Julien Laganier'; netlmm@ietf.org
> Subject: Re: [netlmm] Issue: Auth Option support
> 
> 
> To ensure there is interoperability between multiple implementations,
> there
> needs to be a default security mechanism and that would be IPsec. What
> specific method is used in a certain deployment is not mandated by the
> spec.
> 
> So I think we can just leave it as a MUST for IPsec as the default
> security
> solution without saying MUST use.
> 
> -Raj
> 
> 
> On 9/7/07 4:42 PM, "ext Sri Gundavelli" <sgundave@cisco.com> wrote:
> 
> > Raj,
> >
> > This is my view as well. Now, this will conflict with
> > "MUST implement and SHOULD use of IPsec". To be consistent,
> > it has to be "MUST implement and MUST use". Then Alper wont
> > like this...
> >
> >
> > Sri
> >
> >
> >> -----Original Message-----
> >> From: Basavaraj Patil [mailto:basavaraj.patil@nsn.com]
> >> Sent: Friday, September 07, 2007 2:12 PM
> >> To: Sri Gundavelli; 'Julien Laganier'; netlmm@ietf.org
> >> Subject: Re: [netlmm] Issue: Auth Option support
> >>
> >>
> >> Hi Sri,
> >>
> >> I do believe we need to specify a default security mechanism
> >> for the MAG/LMA
> >> signaling messages. And for this purpose, IPsec is a good choice.
> >> So IMO it is required that we state "Proxy MIP6 signaling
> >> messages between
> >> the MAG and LMA MUST be secured by the use of an IPsec SA
> >> between the two
> >> entities".
> >>
> >> I think this does not limit the ability to adopt alternative
security
> >> solutions in the future.
> >>
> >> -Raj
> >>
> >>
> >> On 9/7/07 12:10 PM, "ext Sri Gundavelli" <sgundave@cisco.com>
wrote:
> >>
> >>> Hi Julien,
> >>>
> >>>
> >>>
> >>>> -----Original Message-----
> >>>> From: julien laganier [mailto:julien.laganier@gmail.com] On
> >>>> Behalf Of Julien Laganier
> >>>> Sent: Friday, September 07, 2007 5:29 AM
> >>>> To: netlmm@ietf.org
> >>>> Cc: Sri Gundavelli; 'Alper Yegin'
> >>>> Subject: Re: [netlmm] Issue: Auth Option support
> >>>>
> >>>> Hi Sri,
> >>>>
> >>>> On Thursday 06 September 2007, Sri Gundavelli wrote:
> >>>>> I'm confused, should the draft say
> >>>>>
> >>>>> "Both LMA and MAG MUST implement IPsec" and
> >>>>> "all the signaling messages SHOULD be protected using IPSec".
> >>>>>
> >>>>> Will this ok, when reviewed by the security folks ?
> >>>>>
> >>>>> or mandate IPsec for this specification and let other draft
> >>>>> relax this in the presence of an alternative approach ?
> >>>>>
> >>>>> Please comment.
> >>>>
> >>>> Somehow, "MUST implement" and "SHOULD use" together seems a bit
> >>>> tautologic.
> >>>>
> >>>> To me "SHOULD use" is sufficient since it covers both of the two
> >>>> possibles cases:
> >>>>
> >>>> - deployment follows the SHOULD recommendation, it uses IPsec
> >>>> to protect
> >>>> PMIPv6, in which case it supports it, since it's using it :), or
> >>>>
> >>>> - deployment ignores the SHOULD recommendation, does not uses
> >>>> IPSec, in
> >>>> which case it is useless to implement it since it's not used...
> >>>>
> >>>> I'd prefer having "MUST protect integrity of signalling
> >> messages, and
> >>>> SHOULD use IPsec ESP to protect integrity of those messages".
> >>>> We might
> >>>> also add "MAY use IPsec AH".
> >>>>
> >>>
> >>>
> >>> I agree. I'm not against allowing other approaches. I'm
> >> only concerned,
> >>> if we can leave the draft saying, "MUST protect integrity
> >> of signalling
> >>> messages", with out specifying IPsec or some other approach. If
that
> >>> will pass the security review. We may have to state that
> >> IPsec MUST be
> >>> used or some other approach, say Auth-Option MUST be used.
> >> Not sure, if
> >>> we can leave this blank.
> >>>
> >>> Sri
> >>>
> >>>
> >>> _______________________________________________
> >>> netlmm mailing list
> >>> netlmm@ietf.org
> >>> https://www1.ietf.org/mailman/listinfo/netlmm
> 
> 
> _______________________________________________
> netlmm mailing list
> netlmm@ietf.org
> https://www1.ietf.org/mailman/listinfo/netlmm

_______________________________________________
netlmm mailing list
netlmm@ietf.org
https://www1.ietf.org/mailman/listinfo/netlmm

v2.23.0 | Report a Bug | By Email