Hi all,
I would agree with a single Diameter application for both authentication
and authorization for MIP6 service with IKEv2/IPsec.
In some scenarios, the IPsec gateway (e.g. 3GPP:PDG, 3GPP2:PDIF) may be
collocated with the Home Agent. To support such scenarios, there should
be a clear way to identify the type of service the MN is trying to
access i.e. it is trying to only establish an IPsec session with the
IPsec gateway or it wants to access MIPv6 service as well. The IDr field
in the IKEv2 exchange can be used for this type of service selection.
So, I would suggest that MIPv6 Diameter application is used when such
(IPsec or IPsec+MIP6) indication is available at the Home Agent.
Best regards,
Kuntal
-----Original Message-----
From: Avi Lior [mailto:avi at bridgewatersystems.com]
Sent: Wednesday, March 14, 2007 10:06 PM
To: Hannes Tschofenig; dime at ietf.org
Subject: RE: [Dime] Consensus Call regarding Diameter Mobile
IPv6HA-to-
AAAHsupport
Yes.
Authentication -- the EAP part and Authorization should happen in one
Diameter Application.
-----Original Message-----
From: Hannes Tschofenig [mailto:Hannes.Tschofenig at gmx.net]
Sent: Wednesday, March 14, 2007 5:22 PM
To: dime at ietf.org
Subject: [Dime] Consensus Call regarding Diameter Mobile IPv6
HA-to-AAAHsupport
Hi all,
with our work on the "Diameter Mobile IPv6 HA-to-AAAH support"
document
(see
http://www.ietf.org/internet-drafts/draft-ietf-dime-mip6-split-01.txt)
we defined a new Diameter application and we then decided that we
should
separate the authentication and authorization interaction to avoid an
update of this specification when RFC 4072 is updated. This means that
the Diameter MIPv6 app-ID is used for the authorization part and the
Diameter EAP app-ID is used for the authentication part. Diameter
routing may cause authentication and authorization messages to be
routed
to different servers. This caused a lengthy debate on security issues.
It seems that there is a lot of complexity associated with this
approach.
I would therefore like to hear whether working group members are OK
with
performing authentication and authorization as part of one Diameter
application. This would therefore mean that we are going to use the
Diameter MIPv6 app-ID for authentication and for authorization.
Please state your opinion.
Ciao
Hannes
_______________________________________________
DiME mailing list
DiME at ietf.org
https://www1.ietf.org/mailman/listinfo/dime
_______________________________________________
DiME mailing list
DiME at ietf.org
https://www1.ietf.org/mailman/listinfo/dime
"This email message and any attachments are confidential information of Starent Networks, Corp. The information transmitted may not be used to create or change any contractual obligations of Starent Networks, Corp. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this e-mail and its attachments by persons or entities other than the intended recipient is prohibited. If you are not the intended recipient, please notify the sender immediately -- by replying to this message or by sending an email to postmaster at starentnetworks.com -- and destroy all copies of this message and any attachments without reading or disclosing their contents. Thank you."
