[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt

To: Yungui Wang <w52006 at huawei.com>
Subject: Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
From: Sri Gundavelli <sgundave at cisco.com>
Date: Mon, 16 Mar 2009 20:20:50 -0700 (PDT)
Authentication-results: sj-dkim-4; header.From=sgundave at cisco.com; dkim=pass ( sig from cisco.com/sjdkim4002 verified; );
Cc: 'mext' <mext at ietf.org>, 'Julien Laganier' <julien.IETF at laposte.net>
Delivered-to: mext at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=1049; t=1237260050; x=1238124050; c=relaxed/simple; s=sjdkim4002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=sgundave at cisco.com; z=From:=20Sri=20Gundavelli=20<sgundave at cisco.com> |Subject:=20RE=3A=20[MEXT]=20Review=20of=20draft-ietf-mext- binding-revocation-03.txt |Sender:=20; bh=lHe/RSmjUvNpNNmOw0CxBfxH2xJK2NEMyxRzUTtH+bI=; b=lnO8DCKsjqATkwXDdaulyWldACBQfNbkGFsuRxlqyhp23upwYrUu+QdKLp ZiHfiD5FBOkxxhjx4eoFiuT/K8rYH4QwLPil5aUObq8oZD5IyV/eo0qW8cio VsP7+BgCdN;
In-reply-to: <009a01c9a6ac$2c3cd620$150ca40a at china.huawei.com>
List-archive: <http://www.ietf.org/mail-archive/web/mext>
List-help: <mailto:mext-request@ietf.org?subject=help>
List-id: Mobile IPv6 EXTensions WG <mext.ietf.org>
List-post: <mailto:mext@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=unsubscribe>
References: <009a01c9a6ac$2c3cd620$150ca40a at china.huawei.com>

Hi Yungui,

The authorization check is for a specific case of bulk revoc
operation. A single dereg message and a bulk revocation
messages, have different impact scope and so are the
authorization checks which need to define finer access
controls matching the specific impact scope.

Sri


On Tue, 17 Mar 2009, Yungui Wang wrote:

Hello

Sorry for jumping in.
A MAG deletes 30,000 bindings continuously (via 30,000 messages),
whose impact is the same as deleting 30,000 bindings via 1 message.
I can't find its difference too. That's, 'impact many sessions' seems not
very convinced.
In my mind, if a MAG is not allowed to delete binding, it can't delete
any binding, vice versa.


MAG created a single binding and can very well delete a single binding
by sending a single request. That did not provide an explicit right
to delete all 30,000 bindings in a single message. That request needs
to pass additional authorization, as that can impact many sessions.


B.R.
Yungui

Follow-Ups:
- Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
  - From: Yungui Wang

References:
- Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
  - From: Yungui Wang

Prev by Date: Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
Next by Date: Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
Previous by thread: Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
Next by thread: Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
Index(es):
- Date
- Thread