Re: [Dime] Defining a new Application for mip6-split ?

[Yoshihiro Ohba <yohba at tari.toshiba.com>]

On Thu, May 18, 2006 at 04:40:25PM -0400, Avi Lior wrote:
> Hi Yoshi,
>  
> Based on your repsonse we don't have to create a new application id.  So
> how do I express that Service-Type (or NAS-Port-Type) is required?

My response was based on my reading of RFC 3588.  On the other hand,
RFC 3588 does not describe how to deal with the situation.

> 
> So do I create a new ABNF for the DER and DEA commands in the
> EAP-Application to show that these attributes are required now?
> 
> Under what context do I put this new ABNF? I don't have a new
> Application ID nor do I have a new Command?

I think defining a revised ABNF to supersede the existing ABNF for an
existing message is NOT a good idea, since it affects existing
Diameter message parser implementations.  Rather than that, I'd
suggest keeping the current ABNF for DER and DEA as it is, and define
additional processing rules for the AVPs that are defined as optional
but required only by a specific service in a new standard track RFC.
I mean, the message parser does not reject the message even when those
AVPs are missing (because it is defined as optional in the ABNF), but
the implementation of the service-specific Diameter EAP application
must rejects the message if the AVPs are missing or do not contain
information required by the service.

Yoshihiro Ohba

> 
> 
> 
> > -----Original Message-----
> > From: Yoshihiro Ohba [mailto:yohba at tari.toshiba.com] 
> > Sent: Thursday, May 18, 2006 1:52 PM
> > To: Avi Lior
> > Cc: Julien Bournelle; Pasi.Eronen at nokia.com; 
> > hannes.tschofenig at gmx.net; dime at ietf.org
> > Subject: Re: [Dime] Defining a new Application for mip6-split ?
> > 
> > On Thu, May 18, 2006 at 10:10:26AM -0400, Avi Lior wrote:
> > > 
> > > The problem is that neither Service-Type or Port-Type is 
> > mandatory.  
> > > 
> > > O fcourse, if we need to make it mandatory we need to create an new 
> > > Application.
> > 
> > If those AVPs are defined in an existing application, we 
> > don't need to create a new application just because the AVPs 
> > that appear in "optional" portion of the ABNF of the existing 
> > application need to appear in "required" portion.
> > 
> > Yoshihiro Ohba
> > 
> > 
> > > 
> > > Also, if we add a new enumeration to either Port-Type or 
> > Service-Type 
> > > wouldn't we have to create a new Application.
> > > 
> > > BTW, this has been an issue even in RADIUS.  How does the AAA know 
> > > this its authenticating for Mobile IP. Traditionaly it 
> > would know that 
> > > NAS-IP or NAS-Identifier is coming from an HA.  But that 
> > doesn't scale at all.
> > > 
> > > I was trying to decide whether Service-Type or Port-Type is the 
> > > correct way to go.  Service Type seems to be the correct way but in 
> > > RADIUS and Diameter service-type also can be 
> > authenticate-only or authorize-only.
> > > So what if the HA wanted to authenticate-only or authorize-only for 
> > > the MIP service?  I would lose the ability to also indicate 
> > that this 
> > > is an HA.
> > > 
> > > So Port-Type seems to be the way to go....
> > > 
> > > 
> > > 
> > > > -----Original Message-----
> > > > From: Julien Bournelle [mailto:julien.bournelle at int-evry.fr]
> > > > Sent: Thursday, May 18, 2006 7:06 AM
> > > > To: Pasi.Eronen at nokia.com
> > > > Cc: hannes.tschofenig at gmx.net; dime at ietf.org
> > > > Subject: Re: [Dime] Defining a new Application for mip6-split ?
> > > > 
> > > > Hi Pasi,
> > > > 
> > > > On Thu, May 18, 2006 at 02:45:00PM +0300, 
> > Pasi.Eronen at nokia.com wrote:
> > > > > Hi Julien,
> > > > > 
> > > > > There's nothing in RFC 4072 that would limit its use to,
> > > > say, PPP or
> > > > > 802.1X -- it works for IKEv2 as well (which can be considered a 
> > > > > special kind of network access, where the "link" is a
> > > > tunnel over IP).
> > > > 
> > > >  I'm not saying that we can't use IKEv2 with Diameter EAP. I had 
> > > > just a  doubt due to the fact that in our case, we're 
> > doing AAA for 
> > > > the mip6  service and not for network access.
> > > > (So I wanted to know opinion from  the group before starting to 
> > > > write)
> > > > 
> > > > > The details (MIP6 or 802.11 WLAN or something else) can be
> > > > sent to the
> > > > > AAA server using e.g. Service-Type and/or NAS-Port-Type AVPs.
> > > > 
> > > >  ok. I forgot the Service-Type AVP which seems to be what we need.
> > > > 
> > > >  thanks,
> > > > 
> > > >  Best regards,
> > > > 
> > > >  Julien
> > > > 
> > > > > 
> > > > > Best regards,
> > > > > Pasi
> > > > > 
> > > > > > -----Original Message-----
> > > > > > From: ext Julien Bournelle 
> > [mailto:julien.bournelle at int-evry.fr]
> > > > > > Sent: 18 May, 2006 11:42
> > > > > > To: dime at ietf.org
> > > > > > Cc: hannes.tschofenig at gmx.net
> > > > > > Subject: [Dime] Defining a new Application for mip6-split ?
> > > > > > 
> > > > > > Hi all,
> > > > > > 
> > > > > >  we're in the process of updating/writing the document 
> > > > > > describing use of  Diameter for the Mobile IPv6 split 
> > scenario.
> > > > > > 
> > > > > >  In the split scenario, the Mobile Node (MN) uses IKEv2
> > > > with the HA
> > > > > > to  setup IPsec SAs. This exchange is also used by the HA to 
> > > > > > authenticate  the MN using EAP. The HA may rely on a
> > > > AAA/EAP server
> > > > > > for this. So we  have the following scheme:
> > > > > > 
> > > > > >  MN <-- IKEv2-EAP --> HA <--------> AAA
> > > > > > 
> > > > > >  A priori Diameter EAP (RFC 4072) can be used between 
> > HA and AAA. 
> > > > > > 
> > > > > >  The problem is that Diameter EAP is normally used 
> > for Network 
> > > > > > Access  authentication.
> > > > > > 
> > > > > >  In our case, the AAA server must perform AAA
> > > > functionality for the
> > > > > > Mobile IPv6 service. The AAA server must know that it has to 
> > > > > > authorize the mip6 service and the accounting (ASR/ASA)
> > > > is also for
> > > > > >  mip6 and not for network access.
> > > > > > 
> > > > > >  For the above reason, it seems that we should define a
> > > > new Diameter
> > > > > > Application. However, in the same time, the messages 
> > defined in 
> > > > > > Diameter EAP could be reused.
> > > > > > 
> > > > > >  So I'd like to hear opinions concerning this issue.
> > > > > > 
> > > > > >  Thanks,
> > > > > > 
> > > > > > 
> > > > > >  - Julien B.
> > > > > > 
> > > > > > 
> > > > > > _______________________________________________
> > > > > > DiME mailing list
> > > > > > DiME at ietf.org
> > > > > > https://www1.ietf.org/mailman/listinfo/dime
> > > > > > 
> > > > 
> > > > --
> > > > julien.bournelle at int-evry.fr
> > > > 
> > > > _______________________________________________
> > > > DiME mailing list
> > > > DiME at ietf.org
> > > > https://www1.ietf.org/mailman/listinfo/dime
> > > > 
> > > 
> > > _______________________________________________
> > > DiME mailing list
> > > DiME at ietf.org
> > > https://www1.ietf.org/mailman/listinfo/dime
> > > 
> > > 
> > 
> 
> 

_______________________________________________
DiME mailing list
DiME at ietf.org
https://www1.ietf.org/mailman/listinfo/dime