[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt

To: "Vijay Devarapalli" <vijay at wichorus.com>
Subject: Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
From: "Ahmad Muhanna" <amuhanna at nortel.com>
Date: Thu, 12 Mar 2009 17:38:27 -0500
Cc: draft-ietf-mext-binding-revocation at tools.ietf.org, mext <mext at ietf.org>, Julien Laganier <julien.IETF at laposte.net>
Delivered-to: mext at core3.amsl.com
In-reply-to: <49B99392.5030507 at wichorus.com>
List-archive: <http://www.ietf.org/mail-archive/web/mext>
List-help: <mailto:mext-request@ietf.org?subject=help>
List-id: Mobile IPv6 EXTensions WG <mext.ietf.org>
List-post: <mailto:mext@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=unsubscribe>
References: <C5A96676FCD00745B64AE42D5FCC9B6E1D96E117 at zrc2hxm0.corp.nortel.com> <C5DCA6D2.5751%vijay at wichorus.com> <C5A96676FCD00745B64AE42D5FCC9B6E1D9BFA98 at zrc2hxm0.corp.nortel.com> <49B824C1.1090504 at wichorus.com> <C5A96676FCD00745B64AE42D5FCC9B6E1DA44418 at zrc2hxm0.corp.nortel.com> <49B98649.4090606 at wichorus.com> <C5A96676FCD00745B64AE42D5FCC9B6E1DA4457E at zrc2hxm0.corp.nortel.com> <49B99392.5030507 at wichorus.com>
Thread-index: AcmjXbfcNYWDWyCeSymI28z1MhCNygABPpZw
Thread-topic: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt

> > 
> > [Ahmad]
> > The simple answer is yes. IMO, compromised MAG is 
> applicable here as 
> > it was applicable in PMIPv6.
> > The problem with Global revocation is: the consequences is 
> much more 
> > sever. One single message impact all bindings between the 
> MAG and the 
> > LMA. Adding this authorization check, is NOT a huge overhead. It 
> > ensures that this MAG is authorized to participate in such 
> activity, 
> > which MAY NOT happen that frequently anyway. Also, it gives LMA the 
> > freedom  to NOT allow some MAG(s) to do such activity.
> > 
> > As an example: let us assume that MAG1 will send a Global 
> Revocation 
> > at time (t1) and MNx will attach at time (t1+ 30 seconds). 
> Why it is 
> > acceptable for the LMA to make sure that the MAG1 is authorized to 
> > send a PBU on behalf on MNx while it is not needed to 
> validate that it 
> > is authorized to delete 10k sessions (for example) in a 
> single message.
> 
> This is a wrong analogy. Currently RFC 5213 does not require 
> the LMA to perform an extra authorization check when deleting 
> a binding when it receives a de-registration PBU from the 
> LMA. So why require the authorization check for bulk 
> revocation? It is the MAG that created the bindings.

[Ahmad]
That is understood. Also, single revocation does not require any
authorization.
Probably the critical word here is "Global". 

> 
> In addition, the authorization check that is described in 
> draft-ietf-mext-binding-revocation-03.txt seems to be saying 
> that the LMA must check if the MAG is authorized to do bulk 
> revocation. Not about
>   the MAG being authorized to modify the binding related to 
> mobile node session. Why do you want the LMA to maintain a 
> list of MAGs that are authorized for bulk revocation? How is 
> this list configured on the LMA?
> 
> >>> [BTW: This has been in the draft since inception and has been 
> >>> discussed many times and was approved during the wg LC]
> >> Has it been discussed specifically?
> > 
> > [Ahmad]
> > Yes. We did. In several occasions. 
> > Please check exchanges with Domagoj, Patrick, and others.
> 
> I couldn't find anything on this. Can you please give me a pointer?
> 
> >>> 3. If there is a Peer Authorization Database already as 
> per PMIPv6, 
> >>> why it is TOO difficult to add the authorization for the
> >> Global Revocation.
> >>
> >> Are you talking about IPsec PAD?
> > 
> > [Ahmad]
> > That could be used too. I do not see any problem with that.
> 
> See section 4.4.3 of RFC 4301 for the PAD definition. How can 
> this be used by the LMA to check if the MAG is authorized for 
> bulk revocation?
> 
> Vijay
>

References:
- Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
  - From: Ahmad Muhanna
- Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
  - From: Vijay Devarapalli
- Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
  - From: Ahmad Muhanna
- Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
  - From: Vijay Devarapalli
- Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
  - From: Ahmad Muhanna
- Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
  - From: Vijay Devarapalli
- Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
  - From: Ahmad Muhanna
- Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
  - From: Vijay Devarapalli

Prev by Date: Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
Next by Date: Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
Previous by thread: Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
Next by thread: Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
Index(es):
- Date
- Thread