Re: [Dime] Fwd: New Version Notification for draft-korhonen-dime-mip6-feature-bits-01

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Dime] Fwd: New Version Notification for draft-korhonen-dime-mip6-feature-bits-01

To: jouni korhonen <jouni.nospam at gmail.com>
Subject: Re: [Dime] Fwd: New Version Notification for draft-korhonen-dime-mip6-feature-bits-01
From: Vijay Devarapalli <dvijay at gmail.com>
Date: Mon, 15 Jun 2009 17:32:40 -0700
Cc: dime at ietf.org
Delivered-to: dime at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=bDm+ryHZCorwa81xXAF/wAKMEsJV3mIXjWFWyc2lp3k=; b=evCMX/tkxWGNElaGe5K6pRbxx5h4y2In8rQXfYLt1JZdj/hP/G7lqBkZ5phJpJ20/r dc64bBn5bVlvlA0254cssv17n1P++t+gOwTomvMPZZSC+TG3BaNC5IxbFqJM91XnCNkK DnM+A+Ok+2fHW23YH6ZBNZW5hdWX/DAomdP4w=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=xo2j5QFMDzakVqXUz0BSnYbave9+DqT449r0RqK2HqX/YxnVRX+9iS/ObKJJlobSsq QPHI29Ma6lCDLMqanC2WXnJL6qf7jTuQZzFEqIfRB3+S6TrIxby9OrVbgRqgEZ5Q7YMK 3mQJJlkeLtBRX+pyTlvXptj2+3KN5M2aH3TQ4=
In-reply-to: <2FA145BF-2534-4A2A-A878-C50A6B3C0087 at gmail.com>
List-archive: <http://www.ietf.org/mail-archive/web/dime>
List-help: <mailto:dime-request@ietf.org?subject=help>
List-id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-post: <mailto:dime@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
References: <20090610092653.601A33A6E07 at core3.amsl.com> <1CE00542-32BF-4344-884C-CCDC763FA853 at gmail.com> <f1f4dcdc0906101449m6e72475s82ac408f9af15505 at mail.gmail.com> <2FA145BF-2534-4A2A-A878-C50A6B3C0087 at gmail.com>

Hi Jouni,

On Wed, Jun 10, 2009 at 11:03 PM, jouni korhonen<jouni.nospam at gmail.com> wrote:
> Hi Vijay,
>
>
> On Jun 11, 2009, at 12:49 AM, Vijay Devarapalli wrote:
>
>> Hi Jouni,
>>
>> I have a comment on the "VPN Gateway feature". There is no document
>> that describes what it means for a Mobile IPv6 home agent to act as a
>> VPN gateway. The IKEv2 exchange between the MN and the HA [RFC 4877
>> and 5026] already supports mutual authentication, address assignment
>> and setting up of tunnel mode ESP SAs. Are you referring to this as
>> VPN mode? But isn't this regular Home agent functionality?
>
> The "VPN mode" is when you use HA IKEv2/IPsec functionality purely for
> conventional VPN remote access purposes without any mobility.

Again, what does this mean? When you run IKEv2 as described in RFC
4877 and 5026, you are creating tunnel mode security associations for
a *Mobile IPv6 tunnel*. In the "VPN" mode, does the mobile node switch
of the Mobile IPv6 stack?

Or does the Home Agent behave an IPsec VPN gateway for pure IPsec
clients, i.e., there is no Mobile IPv6 stack on these clients.

> That type of
> deployment is shortly referenced in draft-ietf-dime-mip6-split Section 4.1.
> I recall this functionality was originally requested by Gerardo.

It doesn't make sense to me. :) This looks more like co-locating a
Mbile IPv6 home agent and an IPsec VPN gateway and supporting both
Mobile IPv6 mobile nodes and plain IPsec clients at the same time.

There has to be more to this scenario than just the short paragraph in
draft-ietf-dime-mip6-split.

>> Or is there a separate IPsec VPN that is first setup and then Mobile
>> IPv6 is run on top of the IPsec tunnels?
>
> As shortly described in split document:
>
>   In some deployment scenarios, the HA may also act as an IKEv2
>   Responder for a conventional IPsec VPN access.  The challenge in this
>   case is that the IKEv2 responder may not know if IKEv2 is used for
>   Mobile IPv6 service or for IPsec VPN access service.  A network
>   operator needs to be aware of this limitation.  One solution already
>   supported by IKEv2 is to use different responder identities when
>   operating as a conventional IPsec VPN gateway or as a HA.  The MN can
>   then indicate the preferred responder type using the appropriate IDr
>   payload in the IKE_AUTH message.
>
> But yeah, now that feature bits are taken into a separate document, the
> connection between the above and the new feature bit is rather weak. Either
> we need more text and/or reference in the draft-korhonen-dime-feature-bits
> or just remove the bit all together. Since the difference between
> conventional IKEv2 IPsec VPN gateway part and HA's IKEv2 IPsec functionality
> is rather small, I would keep the feature bit and enhance the text instead.

It is not "rather small" in my opinion. I don't understand how
supporting plain IPsec clients can be a feature on a Mobile IPv6 home
agent. :)

Vijay

>
> Jouni
>
>
>>
>>
>> Vijay
>>
>> On Wed, Jun 10, 2009 at 2:55 AM, jouni korhonen<jouni.nospam at gmail.com>
>> wrote:
>>>
>>> Hi all,
>>>
>>> I have updated the additional feature bits draft. I did remove some stuff
>>> so
>>> that the draft now only reserves MIP6-Feature-Vector flag bits and
>>> nothing
>>> more. I'll forward the draft soon to RFC editor so if anyone has
>>> comments,
>>> please be quick :)
>>>
>>> Cheers,
>>>       Jouni
>>>
>>> Begin forwarded message:
>>>
>>>> From: IETF I-D Submission Tool <idsubmission at ietf.org>
>>>> Date: June 10, 2009 12:26:53 PM GMT+03:00
>>>> To: jouni.nospam at gmail.com
>>>> Subject: New Version Notification for
>>>>  draft-korhonen-dime-mip6-feature-bits-01
>>>>
>>>>
>>>> A new version of I-D, draft-korhonen-dime-mip6-feature-bits-01.txt has
>>>> been successfuly submitted by Jouni Korhonen and posted to the IETF
>>>> repository.
>>>>
>>>> Filename:        draft-korhonen-dime-mip6-feature-bits
>>>> Revision:        01
>>>> Title:           Diameter MIP6 Feature Vector Additional Bit Allocations
>>>> Creation_date:   2009-06-10
>>>> WG ID:           Independent Submission
>>>> Number_of_pages: 5
>>>>
>>>> Abstract:
>>>> During the Mobile IPv6 Split Scenario bootstrapping the Mobile IPv6
>>>> Home Agent and the Authentication, Authorization, and Accounting
>>>> server may exchange a set of authorized mobility capabilities.  This
>>>> document defines new mobility capability flags that are used to
>>>> authorize per Mobile Node route optimization, Multiple Care-of
>>>> Address and user plane traffic encryption support.  Furthermore, this
>>>> document also defines a capability flag of indicating whether the
>>>> Home Agent is authorized to act as a stand alone Virtual Private
>>>> Network gateway.
>>>>
>>>>
>>>>
>>>> The IETF Secretariat.
>>>>
>>>>
>>>
>>> _______________________________________________
>>> DiME mailing list
>>> DiME at ietf.org
>>> https://www.ietf.org/mailman/listinfo/dime
>>>
>
>

Follow-Ups:
- Re: [Dime] Fwd: New Version Notification for draft-korhonen-dime-mip6-feature-bits-01
  - From: jouni korhonen

References:
- [Dime] Fwd: New Version Notification for draft-korhonen-dime-mip6-feature-bits-01
  - From: jouni korhonen
- Re: [Dime] Fwd: New Version Notification for draft-korhonen-dime-mip6-feature-bits-01
  - From: Vijay Devarapalli
- Re: [Dime] Fwd: New Version Notification for draft-korhonen-dime-mip6-feature-bits-01
  - From: jouni korhonen

Prev by Date: Re: [Dime] comments on draft-tsou-dime-realm-based-redirect-00
Next by Date: Re: [Dime] Fwd: New Version Notification for draft-korhonen-dime-mip6-feature-bits-01
Previous by thread: Re: [Dime] Fwd: New Version Notification for draft-korhonen-dime-mip6-feature-bits-01
Next by thread: Re: [Dime] Fwd: New Version Notification for draft-korhonen-dime-mip6-feature-bits-01
Index(es):
- Date
- Thread

Re: [Dime] Fwd: New Version Notification for draft-korhonen-dime-mip6-feature-bits-01

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.