[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt

To: Ahmad Muhanna <amuhanna at nortel.com>
Subject: Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
From: Vijay Devarapalli <vijay at wichorus.com>
Date: Thu, 12 Mar 2009 14:58:26 -0800
Cc: draft-ietf-mext-binding-revocation at tools.ietf.org, mext <mext at ietf.org>, Julien Laganier <julien.IETF at laposte.net>
Delivered-to: mext at core3.amsl.com
In-reply-to: <C5A96676FCD00745B64AE42D5FCC9B6E1DA4457E at zrc2hxm0.corp.nortel.com>
List-archive: <http://www.ietf.org/mail-archive/web/mext>
List-help: <mailto:mext-request@ietf.org?subject=help>
List-id: Mobile IPv6 EXTensions WG <mext.ietf.org>
List-post: <mailto:mext@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=unsubscribe>
References: <C5A96676FCD00745B64AE42D5FCC9B6E1D96E117 at zrc2hxm0.corp.nortel.com> <C5DCA6D2.5751%vijay at wichorus.com> <C5A96676FCD00745B64AE42D5FCC9B6E1D9BFA98 at zrc2hxm0.corp.nortel.com> <49B824C1.1090504 at wichorus.com> <C5A96676FCD00745B64AE42D5FCC9B6E1DA44418 at zrc2hxm0.corp.nortel.com> <49B98649.4090606 at wichorus.com> <C5A96676FCD00745B64AE42D5FCC9B6E1DA4457E at zrc2hxm0.corp.nortel.com>
User-agent: Thunderbird 2.0.0.19 (Windows/20081209)

Ahmad Muhanna wrote:

Hi Vijay,

Ahmad, if there is a security threat by a MAG deleting thebinding it created, let me know. Otherwise the authorizationcheck is unnecessary.Please remove it.


[Ahmad]
The simple answer is yes. IMO, compromised MAG is applicable here as it
was applicable in PMIPv6.
The problem with Global revocation is: the consequences is much more
sever. One single message impact all bindings between the MAG and the
LMA. Adding this authorization check, is NOT a huge overhead. It ensures
that this MAG is authorized to participate in such activity, which MAY
NOT happen that frequently anyway. Also, it gives LMA the freedom  to
NOT allow some MAG(s) to do such activity.

As an example: let us assume that MAG1 will send a Global Revocation at
time (t1) and MNx will attach at time (t1+ 30 seconds). Why it is
acceptable for the LMA to make sure that the MAG1 is authorized to send
a PBU on behalf on MNx while it is not needed to validate that it is
authorized to delete 10k sessions (for example) in a single message.

This is a wrong analogy. Currently RFC 5213 does not require the LMA toperform an extra authorization check when deleting a binding when itreceives a de-registration PBU from the LMA. So why require theauthorization check for bulk revocation? It is the MAG that created thebindings.

In addition, the authorization check that is described indraft-ietf-mext-binding-revocation-03.txt seems to be saying that theLMA must check if the MAG is authorized to do bulk revocation. Not aboutthe MAG being authorized to modify the binding related to mobile nodesession. Why do you want the LMA to maintain a list of MAGs that areauthorized for bulk revocation? How is this list configured on the LMA?

[BTW: This has been in the draft since inception and has beendiscussed many times and was approved during the wg LC]
Has it been discussed specifically?
[Ahmad]
Yes. We did. In several occasions.Please check exchanges with Domagoj, Patrick, and others.


I couldn't find anything on this. Can you please give me a pointer?

3. If there is a Peer Authorization Database already as per PMIPv6,why it is TOO difficult to add the authorization for the
Global Revocation.

Are you talking about IPsec PAD?
[Ahmad]
That could be used too. I do not see any problem with that.

See section 4.4.3 of RFC 4301 for the PAD definition. How can this beused by the LMA to check if the MAG is authorized for bulk revocation?


Vijay

Follow-Ups:
- Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
  - From: Ahmad Muhanna
- Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
  - From: Ahmad Muhanna

References:
- Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
  - From: Ahmad Muhanna
- Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
  - From: Vijay Devarapalli
- Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
  - From: Ahmad Muhanna
- Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
  - From: Vijay Devarapalli
- Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
  - From: Ahmad Muhanna
- Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
  - From: Vijay Devarapalli
- Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
  - From: Ahmad Muhanna

Prev by Date: Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
Next by Date: Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
Previous by thread: Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
Next by thread: Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
Index(es):
- Date
- Thread