Re: [v6ops] Focused discussion: draft-ietf-v6ops-unique-ipv6-prefix-per-host

["VAN DE VELDE, Gunter (Nokia - BE)" <gunter.van_de_velde@alcatel-lucent.com>]

On 07/01/16 17:56, "Templin, Fred L" <Fred.L.Templin@boeing.com> wrote:

>Hi Gunter,
>
>Maybe I am not understanding you correctly. There may be many APs (100's, 1000's, etc.)
>associated with a single WLAN-GW - correct? 

GV> Yep, there can be indeed. I start to see where the confusion came from.

>At each AP, a UE presents itself using its
>MAC address and initially sends out an RS using an IPv6 link-local address most likely
>derived from the MAC address. The AP (acting in bridge mode) then forwards the
>RS to the WLAN-GW which needs to have some way of knowing that the RS came
>from an authentic source. (You have said that the MAC address is the identifier for
>the UE - but, does the WLAN-GW see the MAC address, or does it only see the
>link-local address?)

GV> AP is bridging from wifi to GRE tunnel, so the WLAN-GW sees MAC address indeed

>
>Now, consider a UE 'A' associated with AP 'X' and a UE 'B' associated with AP 'Y'.
>A is the authentic owner of MAC address 'M'. When A associates with X, the
>WLAN-GW goes through the authentication procedures based on the MAC
>address M (or the IPv6 link-local address associated with MAC address M).
>But now, B associates with Y and also uses MAC address M. (Or, maybe B
>associates with Y before A associates with X.) What is to stop B from spoofing
>the MAC address in this way and DoS'ing A?

GV> both AP’s use their own different SoftGRE tunnel to the WLAN-GW, and that is how WLAN-GW finds out they are different because the tunnel can be part of the key. Ofcours UE mobility and other advanced features can be enabled on the WLAN-GW using alternate authentication mechanisms, but that is beyond the scope of this particular draft as that drives pretty far into vendor capability territory and i believe that is beyond v6ops scope.

Be well,
G/

>