[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt

To: 'Sri Gundavelli' <sgundave at cisco.com>
Subject: Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
From: Yungui Wang <w52006 at huawei.com>
Date: Tue, 17 Mar 2009 15:02:11 +0800
Cc: 'mext' <mext at ietf.org>, 'Julien Laganier' <julien.IETF at laposte.net>
Delivered-to: mext at core3.amsl.com
In-reply-to: <Pine.GSO.4.63.0903162015170.6830 at irp-view13.cisco.com>
List-archive: <http://www.ietf.org/mail-archive/web/mext>
List-help: <mailto:mext-request@ietf.org?subject=help>
List-id: Mobile IPv6 EXTensions WG <mext.ietf.org>
List-post: <mailto:mext@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=unsubscribe>
Organization: huawei
Reply-to: w52006 at huawei.com
Thread-index: Acmmr4zj8J9FwdcFQxmGJPPmHplZKAAElHjA

Hello

I understand your concerns. A MAG should be carefully implemented 
to send a bulk revocation message. 
But I am wondering if it is necessary/meaningful that the LMA checks the
authorization.
For example, if a non-authorized MAG wants to implement the bulk de-reg
function, 
it can send a big lower-layer frame encapsulated with many single dereg
messages 
(assume that possible) to bypass that authorization check. In this case,
does the 
LMA check the authorization?

B.R.  /Yungui Wang

> -----Original Message-----
> From: Sri Gundavelli [mailto:sgundave at cisco.com] 
> Sent: Tuesday, March 17, 2009 11:21 AM
> To: Yungui Wang
> Cc: 'Vijay Devarapalli'; 'Julien Laganier'; 'mext'
> Subject: RE: [MEXT] Review of 
> draft-ietf-mext-binding-revocation-03.txt
> 
> Hi Yungui,
> 
> The authorization check is for a specific case of bulk revoc
> operation. A single dereg message and a bulk revocation
> messages, have different impact scope and so are the
> authorization checks which need to define finer access
> controls matching the specific impact scope.
> 
> Sri
> 
> 
> On Tue, 17 Mar 2009, Yungui Wang wrote:
> 
> > Hello
> >
> > Sorry for jumping in.
> > A MAG deletes 30,000 bindings continuously (via 30,000 messages),
> > whose impact is the same as deleting 30,000 bindings via 1 message.
> > I can't find its difference too. That's, 'impact many 
> sessions' seems not
> > very convinced.
> > In my mind, if a MAG is not allowed to delete binding, it 
> can't delete
> > any binding, vice versa.
> >
> >>
> >> MAG created a single binding and can very well delete a 
> single binding
> >> by sending a single request. That did not provide an explicit right
> >> to delete all 30,000 bindings in a single message. That 
> request needs
> >> to pass additional authorization, as that can impact many sessions.
> >>
> >
> > B.R.
> > Yungui
> >
> >
>

References:
- Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
  - From: Sri Gundavelli

Prev by Date: Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
Next by Date: Re: [MEXT] Review of Re: I-D Action:draft-ietf-monami6-multiplecoa-12.txt
Previous by thread: Re: [MEXT] Review of draft-ietf-mext-binding-revocation-03.txt
Next by thread: [MEXT] I-D Action:draft-ietf-mext-rfc3775bis-03.txt
Index(es):
- Date
- Thread