Re: [Dime] Route-Record in any Diameter anwer (was: CCA)

To: Sebastien Decugis <sdecugis at nict.go.jp>

Subject: Re: [Dime] Route-Record in any Diameter anwer (was: CCA)

Date: Sat, 21 Mar 2009 21:34:12 +0530

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=ZNEx7eVI0t4xPyigUn3Bn59QRbwNai0+92AJB66rabs=; b=uLsJcqY9aSi3kOt1zdP/m7FTCPYjnSpgqIX/7qMVXr3zjf+1FFBY28nmTmz2wGuALT DZbzpdrUJ0sGL7MxW4qbxtbUOuOO3wmGe5Df8hmzXi9ZhuLdUlkJXYRGlJqSiyCGohDh HHE3SyIt8rb3P4BvNmnU0TjqrDfCPvNZezYCo=

Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=qKk4n0KY8s5UbohAhZFc3uKlfkPemh6Uc+tdDhk3D/MjZh6SrRYiWoUW6CU98GIiH0 9WIwFhoiX4YsvyKel+ar+5vl31ujgjK2UOrNIDdEuON5zwdFmj4CBosYz0Csg/P5o1ja c/ZkLy0BLd52Wh3S0r1iOWpp9L8s0QuUyHqyk=

In-reply-to: <49C1A005.5020702 at nict.go.jp>

List-archive: <http://www.ietf.org/mail-archive/web/dime>

List-help: <mailto:dime-request@ietf.org?subject=help>

List-id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>

List-post: <mailto:dime@ietf.org>

List-subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>

List-unsubscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>

References: <69FADB84C90B1248A7DE59422771FA0C0CC68CAB at exchindia3.starentnetworks.com> <000001c9a203$d546ac30$471c120a at china.huawei.com> <1bdcf2860903111104x1124c9c9j9e2e1ee55c18e662 at mail.gmail.com> <1bdcf2860903181054vce6a025lb66d84fcfa78fe81 at mail.gmail.com> <49C1A005.5020702 at nict.go.jp>

IMO there are two things which we are discussing

1) ABNF defined for some answer messages in some RFCs has Route-Record AVP present in it

for example CCA in 4006

The common understanding that we have now is that this is needed for path authorization by the diameter home realm, though this is not explicitly mentioned in the RFC. The procedures that need to be performed at the diameter server are not defined in this case. Was this the original intent of having a Route-Record AVP in the CCA message?

2) Extending the Route-Record AVP mechanism for path authorization by the home realm. Do we need to add this to the 3588 bis?

I hope the experts can provide their opinions on this.

On Thu, Mar 19, 2009 at 6:59 AM, Sebastien Decugis <sdecugis at nict.go.jp> wrote:

Hi,

> Does anyone have any opinion on the following points?
I agree that Route-Record in a Diameter Answer would bring additional
security (via tracability).

When the server sends the answer with a success result code, it
implicitly indicates that it trusts the path of the request (same as the
path of the answer).
When the local agent receive the answers, it contains the identity of
the sender.

One could assume that indirect trust is established: local agent ->
home server -> path.

Anyway, if an untrusted relay receives the request and forges an answer,
it can fake the Origin-Host of the reply. The local agent has no mean to
detect this if no Route-Record is in the answer.

IMHO, the question is: in what extent do we trust the hop-by-hop
security mechanism (TLS or IPsec)?

Best regards,
Sebastien.

--
Sebastien Decugis
Research fellow
Network Architecture Group
NICT (nict.go.jp)

Re: [Dime] Route-Record in any Diameter anwer (was: CCA)

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.