[Dime] Comments on draft-ietf-dime-ikev2-psk-diameter-03.txt

"Mizikovsky, Semyon B (Simon)" <simon.mizikovsky@alcatel-lucent.com> Thu, 28 October 2010 19:51 UTC

Return-Path: <simon.mizikovsky@alcatel-lucent.com>
X-Original-To: dime@core3.amsl.com
Delivered-To: dime@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1244E3A6774 for <dime@core3.amsl.com>; Thu, 28 Oct 2010 12:51:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JJsiC6Hm2TKh for <dime@core3.amsl.com>; Thu, 28 Oct 2010 12:51:16 -0700 (PDT)
Received: from ihemail3.lucent.com (ihemail3.lucent.com [135.245.0.37]) by core3.amsl.com (Postfix) with ESMTP id 168843A68DA for <dime@ietf.org>; Thu, 28 Oct 2010 12:51:16 -0700 (PDT)
Received: from usnavsmail2.ndc.alcatel-lucent.com (usnavsmail2.ndc.alcatel-lucent.com [135.3.39.10]) by ihemail3.lucent.com (8.13.8/IER-o) with ESMTP id o9SJr8Yr015820 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <dime@ietf.org>; Thu, 28 Oct 2010 14:53:08 -0500 (CDT)
Received: from USNAVSXCHHUB02.ndc.alcatel-lucent.com (usnavsxchhub02.ndc.alcatel-lucent.com [135.3.39.111]) by usnavsmail2.ndc.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id o9SJr76o030415 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT) for <dime@ietf.org>; Thu, 28 Oct 2010 14:53:07 -0500
Received: from USNAVSXCHMBSA1.ndc.alcatel-lucent.com ([135.3.39.119]) by USNAVSXCHHUB02.ndc.alcatel-lucent.com ([135.3.39.111]) with mapi; Thu, 28 Oct 2010 14:53:07 -0500
From: "Mizikovsky, Semyon B (Simon)" <simon.mizikovsky@alcatel-lucent.com>
To: "dime@ietf.org" <dime@ietf.org>
Date: Thu, 28 Oct 2010 14:53:07 -0500
Thread-Topic: Comments on draft-ietf-dime-ikev2-psk-diameter-03.txt
Thread-Index: Act2CJUiMrD465+GSN+L519yo/QNdQAEQTOwACDeaxAAC8sR8A==
Message-ID: <E413B3F92D9EAC45A9C3CE54B0C685A313420881AB@USNAVSXCHMBSA1.ndc.alcatel-lucent.com>
References: <AAE76B481E7A0E4C96610790A852B9A624FDD22EC9@USNAVSXCHMBSA3.ndc.alcatel-lucent.com> <E413B3F92D9EAC45A9C3CE54B0C685A31342087AD9@USNAVSXCHMBSA1.ndc.alcatel-lucent.com> <AAE76B481E7A0E4C96610790A852B9A624FDD2318A@USNAVSXCHMBSA3.ndc.alcatel-lucent.com>
In-Reply-To: <AAE76B481E7A0E4C96610790A852B9A624FDD2318A@USNAVSXCHMBSA3.ndc.alcatel-lucent.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.37
X-Scanned-By: MIMEDefang 2.64 on 135.3.39.10
Subject: [Dime] Comments on draft-ietf-dime-ikev2-psk-diameter-03.txt
X-BeenThere: dime@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dime>
List-Post: <mailto:dime@ietf.org>
List-Help: <mailto:dime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Oct 2010 19:51:17 -0000

1. In Sec.4.2 first paragraph "The HAAA may maintain state or may be stateless.  This is indicated by presence or absence of the Auth-Session-State AVP." This behavior is already defined in RFC3588. In fact, absence of the Auth-Session-State AVP in a Request would indicate the default that the state is requested to be maintained by the HAAA, and absence of this AVP in an Answer - that the HAAA will in fact maintain the state. Suggest to remove these two sentences, leaving only the main requirement of this Draft, listed in the third sentence: "The IKEv2 Server MUST support the Authorization Session State Machine defined in [RFC3588]."

2. The Auth-Session-State AVP is absent in the IKEv2-PSK-Answer (IKEPSKA) Command, sec. 5.2, even though it is shown [optional] in IKEv2-PSK-Request (IKEPSKR) Command, sec.5.1.  Suggest to add it to IKEv2-PSK-Answer (IKEPSKA) Command for completeness.

3. Sec.10 "Security Considerations", second paragraph "In this case, the HA to the Diameter server AAA communication relies on the security properties of the intermediating AAA inter-connection networks, AAA brokers, and Diameter agents." Suggest replacing the HA with IKEv2 Server.

With these changes, suggest to approve the draft for publication.


Semyon Mizikovsky
Alcatel Lucent
Wireless Security & Fraud Prevention
Wireless Standards Department
600/700 Mountain Avenue, 3C-506L
Murray Hill, NJ 07974, USA
(O) 1+908-582-0729
(M) 1+732-239-7533
(F)  1+908-743-4361