Re: [Dime] Route-Record in any Diameter anwer (was: CCA)

To: Ravi <nrs2712 at gmail.com>
Subject: Re: [Dime] Route-Record in any Diameter anwer (was: CCA)
From: Sebastien Decugis <sdecugis at nict.go.jp>
Date: Thu, 19 Mar 2009 10:29:41 +0900
Cc: dime at ietf.org
Delivered-to: dime at core3.amsl.com
In-reply-to: <1bdcf2860903181054vce6a025lb66d84fcfa78fe81 at mail.gmail.com>
List-archive: <http://www.ietf.org/mail-archive/web/dime>
List-help: <mailto:dime-request@ietf.org?subject=help>
List-id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-post: <mailto:dime@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
Openpgp: id=33D9F61D
References: <69FADB84C90B1248A7DE59422771FA0C0CC68CAB at exchindia3.starentnetworks.com> <000001c9a203$d546ac30$471c120a at china.huawei.com> <1bdcf2860903111104x1124c9c9j9e2e1ee55c18e662 at mail.gmail.com> <1bdcf2860903181054vce6a025lb66d84fcfa78fe81 at mail.gmail.com>
User-agent: Thunderbird 2.0.0.19 (Windows/20081209)

Hi,

> Does anyone have any opinion on the following points?
I agree that Route-Record in a Diameter Answer would bring additional
security (via tracability).

When the server sends the answer with a success result code, it
implicitly indicates that it trusts the path of the request (same as the
path of the answer).
When the local agent receive the answers, it contains the identity of
the sender.
One could assume that indirect trust is established:  local agent ->
home server -> path.

Anyway, if an untrusted relay receives the request and forges an answer,
it can fake the Origin-Host of the reply. The local agent has no mean to
detect this if no Route-Record is in the answer.

IMHO, the question is: in what extent do we trust the hop-by-hop
security mechanism (TLS or IPsec)?

Best regards,
Sebastien.

-- 
Sebastien Decugis
Research fellow
Network Architecture Group
NICT (nict.go.jp)

Follow-Ups:
- Re: [Dime] Route-Record in any Diameter anwer (was: CCA)
  - From: Ravi

References:
- Re: [Dime] Route-Record in CCA
  - From: Gowda, Avinash
- Re: [Dime] Route-Record in CCA
  - From: Rajith R
- Re: [Dime] Route-Record in CCA
  - From: Ravi
- Re: [Dime] Route-Record in CCA
  - From: Ravi

Prev by Date: Re: [Dime] Route-Record in CCA
Next by Date: [Dime] Diameter ERP new proposal
Previous by thread: Re: [Dime] Route-Record in CCA
Next by thread: Re: [Dime] Route-Record in any Diameter anwer (was: CCA)
Index(es):
- Date
- Thread

Re: [Dime] Route-Record in any Diameter anwer (was: CCA)

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.