Re: [netlmm] Issue: Auth Option support
Alexandru Petrescu <alexandru.petrescu@gmail.com> Fri, 07 September 2007 13:28 UTC
Return-path: <netlmm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1ITdtL-0005kK-9n; Fri, 07 Sep 2007 09:28:59 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1ITdtK-0005kE-DR for netlmm@ietf.org; Fri, 07 Sep 2007 09:28:58 -0400
Received: from mail119.messagelabs.com ([216.82.241.179]) by chiedprmail1.ietf.org with smtp (Exim 4.43) id 1ITdtJ-0004y4-U1 for netlmm@ietf.org; Fri, 07 Sep 2007 09:28:58 -0400
X-VirusChecked: Checked
X-Env-Sender: alexandru.petrescu@gmail.com
X-Msg-Ref: server-13.tower-119.messagelabs.com!1189171736!32693858!1
X-StarScan-Version: 5.5.12.14.2; banners=.,-,-
X-Originating-IP: [144.189.100.105]
Received: (qmail 24215 invoked from network); 7 Sep 2007 13:28:56 -0000
Received: from motgate5.mot.com (HELO motgate5.mot.com) (144.189.100.105) by server-13.tower-119.messagelabs.com with SMTP; 7 Sep 2007 13:28:56 -0000
Received: from az33exr04.mot.com (az33exr04.mot.com [10.64.251.234]) by motgate5.mot.com (8.12.11/Motorola) with ESMTP id l87DSpZa027340; Fri, 7 Sep 2007 06:28:56 -0700 (MST)
Received: from az10vts03 (az10vts03.mot.com [10.64.251.244]) by az33exr04.mot.com (8.13.1/Vontu) with SMTP id l87DSpDr023114; Fri, 7 Sep 2007 08:28:51 -0500 (CDT)
Received: from [127.0.0.1] (zfr01-2117.crm.mot.com [10.161.201.117]) by az33exr04.mot.com (8.13.1/8.13.0) with ESMTP id l87DSm46023006; Fri, 7 Sep 2007 08:28:49 -0500 (CDT)
Message-ID: <46E1520B.3010102@gmail.com>
Date: Fri, 07 Sep 2007 15:28:43 +0200
From: Alexandru Petrescu <alexandru.petrescu@gmail.com>
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Julien Laganier <julien.IETF@laposte.net>
Subject: Re: [netlmm] Issue: Auth Option support
References: <Pine.GSO.4.63.0708070000100.13701@irp-view13.cisco.com> <200709071429.19318.julien.IETF@laposte.net> <46E14994.9060302@gmail.com> <200709071515.51933.julien.IETF@laposte.net>
In-Reply-To: <200709071515.51933.julien.IETF@laposte.net>
Content-Type: text/plain; charset="ISO-8859-15"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Antivirus: avast! (VPS 000773-1, 06/09/2007), Outbound message
X-Antivirus-Status: Clean
X-CFilter-Loop: Reflected
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 73734d43604d52d23b3eba644a169745
Cc: netlmm@ietf.org
X-BeenThere: netlmm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: NETLMM working group discussion list <netlmm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/netlmm>, <mailto:netlmm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/netlmm>
List-Post: <mailto:netlmm@ietf.org>
List-Help: <mailto:netlmm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/netlmm>, <mailto:netlmm-request@ietf.org?subject=subscribe>
Errors-To: netlmm-bounces@ietf.org
Julien Laganier wrote: > On Friday 07 September 2007, Alexandru Petrescu wrote: >> Julien Laganier wrote: >>> Hi Sri, >>> >>> On Thursday 06 September 2007, Sri Gundavelli wrote: >>>> I'm confused, should the draft say >>>> >>>> "Both LMA and MAG MUST implement IPsec" and >>>> "all the signaling messages SHOULD be protected using IPSec". >>>> >>>> Will this ok, when reviewed by the security folks ? >>>> >>>> or mandate IPsec for this specification and let other draft >>>> relax this in the presence of an alternative approach ? >>>> >>>> Please comment. >>> Somehow, "MUST implement" and "SHOULD use" together seems a bit >>> tautologic. >>> >>> To me "SHOULD use" is sufficient since it covers both of the two >>> possibles cases: >>> >>> - deployment follows the SHOULD recommendation, it uses IPsec to >>> protect PMIPv6, in which case it supports it, since it's using it >>> :), or >>> >>> - deployment ignores the SHOULD recommendation, does not uses >>> IPSec, in which case it is useless to implement it since it's not >>> used... >>> >>> I'd prefer having "MUST protect integrity of signalling messages, >>> and SHOULD use IPsec ESP to protect integrity of those messages". >>> We might also add "MAY use IPsec AH". >> I'm not sure what you mean... >> >> Do you mean to use ESP to offer authentication (integrity >> protection)? I'd suggest to make AH a should, for this purpose, not >> ESP. > > For an IPsec implementation ESP is MUST and AH is a MAY, therefore I > meant exactly what I said: ESP for integrity protection. For the > reference, this is an excerpt from Section 3.2 of RFC4301: > > IPsec implementations MUST support ESP and MAY > support AH. (Support for AH has been downgraded to MAY because > experience has shown that there are very few contexts in which ESP > cannot provide the requisite security services. Note that ESP can be > used to provide only integrity, without confidentiality, making it > comparable to AH in most contexts.) Ok, I was not aware of that paragraph. I was thinking AH protection was enough but it seems it is not necessary, and that ESP is necessary. >> Or do you mean to use ESP to offer confidentiality (encrypted >> packets)? > > No I don't mean that. I don't see confidentiality protection as a > requirement for PMIPv6 security. Err... >> In this case, ESP is the only possibility to do >> confindentiality, because authopt doesn't; so not sure why needing to >> debate the use of ESP for confidentiality, it is pretty clear. >> >> Also, when you say to protect integrity of signalling messages, which >> of those do you assume? authopt only does bu/back, it doesn't do >> other mip6 signalling. So I think you only assume integrity of >> bu/back, right? > > I mean protection of PMIPv6 messages, i.e. defined/used by the PMIPv6 > specification. Seems that's limited to pBU/pBAck, right? Right... that's what the PMIPv6 spec says. It is strange we struggle with timestamp/seqno issues whose main goal is to make it more reliable and at the same time we ignore Binding Error, Binding Refresh Request. Alex ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ _______________________________________________ netlmm mailing list netlmm@ietf.org https://www1.ietf.org/mailman/listinfo/netlmm
- [netlmm] (no subject) LAI, SHOU WEN -HCHBJ
- RE: [netlmm] Issue: Auth Option support Alper Yegin
- RE: [netlmm] Issue: Auth Option support Sri Gundavelli
- [netlmm] (no subject) Christian Vogt
- [netlmm] Re: your mail Sri Gundavelli
- [netlmm] Issue: Auth Option support Sri Gundavelli
- RE: [netlmm] Issue: Auth Option support Alper Yegin
- Re: [netlmm] Issue: Auth Option support Christian Vogt
- Re: [netlmm] Issue: Auth Option support Vijay Devarapalli
- RE: [netlmm] Issue: Auth Option support Chowdhury, Kuntal
- RE: [netlmm] Issue: Auth Option support Sri Gundavelli
- Re: [netlmm] Issue: Auth Option support Alexandru Petrescu
- RE: [netlmm] Issue: Auth Option support Alper Yegin
- Re: [netlmm] Issue: Auth Option support Alexandru Petrescu
- Re: [netlmm] Issue: Auth Option support Julien Laganier
- Re: [netlmm] Issue: Auth Option support Alexandru Petrescu
- Re: [netlmm] Issue: Auth Option support Julien Laganier
- Re: [netlmm] Issue: Auth Option support Alexandru Petrescu
- RE: [netlmm] Issue: Auth Option support Sri Gundavelli
- RE: [netlmm] Issue: Auth Option support Narayanan, Vidya
- Re: [netlmm] Issue: Auth Option support Basavaraj Patil
- RE: [netlmm] Issue: Auth Option support Sri Gundavelli
- Re: [netlmm] Issue: Auth Option support Basavaraj Patil
- Re: [netlmm] Issue: Auth Option support Vijay Devarapalli
- RE: [netlmm] Issue: Auth Option support Sri Gundavelli
- RE: [netlmm] Issue: Auth Option support Alper Yegin
- Re: [netlmm] Issue: Auth Option support Julien Laganier
- RE: [netlmm] Issue: Auth Option support Ahmad Muhanna
- RE: [netlmm] Issue: Auth Option support Ahmad Muhanna
- Re: [netlmm] Issue: Auth Option support Vijay Devarapalli
- Re: [netlmm] Issue: Auth Option support Vijay Devarapalli
- Re: [netlmm] Issue: Auth Option support Vijay Devarapalli
- RE: [netlmm] Issue: Auth Option support DE JUAN HUARTE FEDERICO
- RE: [netlmm] Issue: Auth Option support Ahmad Muhanna
- RE: [netlmm] Issue: Auth Option support Alper Yegin
- RE: [netlmm] Issue: Auth Option support Alper Yegin
- Re: [netlmm] Issue: Auth Option support Vijay Devarapalli
- [netlmm] Question on security model DE JUAN HUARTE FEDERICO
- RE: [netlmm] Question on security model Sri Gundavelli
- [netlmm] RE: Question on security model Ahmad Muhanna
- Re: [netlmm] Question on security model Julien Laganier
- RE: [netlmm] Question on security model Alper Yegin
- [netlmm] (no subject) Lynoh MaGee