[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt

To: Ahmad Muhanna <amuhanna at nortel.com>
Subject: Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
From: Sri Gundavelli <sgundave at cisco.com>
Date: Fri, 13 Mar 2009 11:14:00 -0700 (PDT)
Authentication-results: sj-dkim-2; header.From=sgundave at cisco.com; dkim=pass ( sig from cisco.com/sjdkim2002 verified; );
Cc: mext <mext at ietf.org>, netlmm at ietf.org, Julien Laganier <julien.IETF at laposte.net>
Delivered-to: mext at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=1368; t=1236968041; x=1237832041; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=sgundave at cisco.com; z=From:=20Sri=20Gundavelli=20<sgundave at cisco.com> |Subject:=20RE=3A=20[MEXT]=20Review=20of=20draft-ietf-mext- binding-revocation-03.txt |Sender:=20; bh=j30kpEnZAZPe9PUCS0vm6WHegxqeMfVF0yHQrk/uvOA=; b=pwpQuWJYQMmIo4IhCuVRS0WRXaijMycfSAho3xezRaU1iHM7PzCLtSRl5d 17YMt7K+8DNnTES8fOh2VJNfVqAl5Q+QtqyTLoK56Qs4mDH0YR78Pl+sp8u7 Zckm3uUPQf;
In-reply-to: <C5A96676FCD00745B64AE42D5FCC9B6E1DA44982 at zrc2hxm0.corp.nortel.com>
List-archive: <http://www.ietf.org/mail-archive/web/mext>
List-help: <mailto:mext-request@ietf.org?subject=help>
List-id: Mobile IPv6 EXTensions WG <mext.ietf.org>
List-post: <mailto:mext@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=unsubscribe>
References: <C5A96676FCD00745B64AE42D5FCC9B6E1D96E117 at zrc2hxm0.corp.nortel.com> <C5DCA6D2.5751%vijay at wichorus.com> <C5A96676FCD00745B64AE42D5FCC9B6E1D9BFA98 at zrc2hxm0.corp.nortel.com> <49B824C1.1090504 at wichorus.com> <C5A96676FCD00745B64AE42D5FCC9B6E1DA44418 at zrc2hxm0.corp.nortel.com> <49B98649.4090606 at wichorus.com> <C5A96676FCD00745B64AE42D5FCC9B6E1DA4457E at zrc2hxm0.corp.nortel.com> <49B99392.5030507 at wichorus.com> <C5A96676FCD00745B64AE42D5FCC9B6E1DA44711 at zrc2hxm0.corp.nortel.com> <49B9AD1C.7080703 at wichorus.com> <C5A96676FCD00745B64AE42D5FCC9B6E1DA44982 at zrc2hxm0.corp.nortel.com>

Hi Vijay,

Some comments on this.

Does the LMA keep a list of MAGs that are authorized for
sending bulk revocations? How is this list configured? In
addition, I think this authorization step is unnecessary and
should be removed.


Bulk revoc is a high security risk operation, requiring such
authorization check will allow the system to build some
configurability into the system.

Even for a single binding, if you recall and as Ahmad pointed
out, we do require this in 5213. We added this per IESG note.
Before the MAG can create a binding, the LMA is required to check
if the given MAG is authorized to perform such an operation. The
same goes for dereg, its enforced indirectly, there is a check
for binding's Proxy-CoA to match the PBU's Proxy-CoA, before the
dereg is allowed.

Now, this check for bulk dereg spanning many MN's is for the
specific operation, if its allowed or not. This is a requirement
for a good system design, from OM perspective. Has no bearing
on protocol interop. I dont think this can be an issue, one
can always add a * rule to permit every MAG to perform such
operation.

If your concern is maintaing that list, we can always state in
a secure network, the MAG can just have one flat rule to allow
such operation from all the configured peers that it knows.
Will that work ?


Sri

Follow-Ups:
- Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
  - From: Vijay Devarapalli

References:
- Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
  - From: Ahmad Muhanna
- Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
  - From: Vijay Devarapalli
- Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
  - From: Ahmad Muhanna
- Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
  - From: Vijay Devarapalli
- Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
  - From: Ahmad Muhanna
- Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
  - From: Vijay Devarapalli
- Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
  - From: Ahmad Muhanna
- Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
  - From: Vijay Devarapalli
- Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
  - From: Ahmad Muhanna
- Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
  - From: Vijay Devarapalli
- Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
  - From: Ahmad Muhanna

Prev by Date: Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
Next by Date: Re: [MEXT] multiple coa draft 11
Previous by thread: Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
Next by thread: Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
Index(es):
- Date
- Thread