[Mip4] Issue #45; Seeking closure for on deregistration with FHAE

To: mip4 at ietf.org
Subject: [Mip4] Issue #45; Seeking closure for on deregistration with FHAE
From: Kent Leung <kleung at cisco.com>
Date: Mon, 14 Mar 2005 11:19:29 -0800
In-reply-to: <4.3.2.7.2.20050112094941.02a37718@mira-sjcm-2.cisco.com>
List-help: <mailto:mip4-request@ietf.org?subject=help>
List-id: Mobility for IPv4 <mip4.ietf.org>
List-post: <mailto:mip4@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=unsubscribe>
References: <41E4A51B.10701@iprg.nokia.com> <4.3.2.7.2.20050111170556.03976dc0@mira-sjcm-2.cisco.com> <16861.48387.626374.280537@gargle.gargle.HOWL> <4.3.2.7.2.20050104153537.02b0e1a8@mira-sjcm-2.cisco.com> <4.3.2.7.2.20041210193834.02df4080@mira-sjcm-2.cisco.com> <4.3.2.7.2.20050104171617.02afa688@mira-sjcm-2.cisco.com> <16860.3652.719374.748>
Sender: mip4-bounces at ietf.org

Hi folks.

I'll try to summarize to see if we can reach some closure on this
issue.

This is the scenario when the problem is encountered.

MN is registered to the HA and moves to a new FA.  The new FA
is somehow misconfigured with the wrong SA with the MN's HA.
This invalid SA means that any registration between FA and HA
will not work because authentication fails.  Just to note that if the
SA is valid or if there is no SA, then everything works fine.

The issue arises when MN deregisters on the new FA which has
an invalid SA with the HA.  The deregistration will not work.

I've maintained that in this scenario, MN will not be able to register
as well.  So it's a configuration error that needs to be fixed as
the security relationship between FA and HA should be upheld.
The FA is configured with FHAE and always add extension to
the RRQ directed to the HA.  HA always authenticate FHAE.  The
security logic is clear, authentication of message exchange between
FA and HA are provided when FHAE service is configured or set.

Charlie feels that this deregistration has nothing to do with the FA
so should not be prevented due to some misconfiguration on the
FA or HA.  To get around the security relationship, check certain
fields such as lifetime, care-of address, D-bit, etc. on the FA
(to decide if FHAE should be added) and HA to figure out the
intent of the RRQ.

Since I get to summarize, I'll add one more point.  :)  I believe that
we should be fine with specification that is simple and clear
for security relationship between FA and HA.  And if real deployment
problem is encountered by operators/customers, _then_ we can
add more logic to support specific scenario.  For now, please just
keep it straightforward.  Thanks.

Kent
--
     |           |                   Kent Leung
    :|:         :|:                  IP Mobility Development
   :|||:       :|||:                 Internet Technologies Division
  :|||||||:   :|||||||:              Voice: 408.526.5030
.:|||||||||:.:|||||||||:.             Fax:   408.525.1653
 c i s c o S y s t e m s             Email: kleung at cisco.com

--
Mip4 mailing list: Mip4 at ietf.org
   Web interface: https://www1.ietf.org/mailman/listinfo/mip4
    Charter page: http://www.ietf.org/html.charters/mip4-charter.html
Supplemental site: http://www.mip4.org/

Follow-Ups:
- Re: [Mip4] Issue #45; Seeking closure for on deregistration with FHAE
  - From: Charles E. Perkins

References:
- Re: [Mip4] Issue #45; Deregistration vs. Foreign-Home Authentication failure
  - From: Charles E. Perkins
- Re: [Mip4] Issue #45; Deregistration vs. Foreign-Home Authentication failure
  - From: Kent Leung
- Re: [Mip4] Issue #45; Deregistration vs. Foreign-Home Authentication failure
  - From: Pete McCann
- Re: [Mip4] Issue #45; Deregistration vs. Foreign-Home authentication failure
  - From: Kent Leung
- Re: [Mip4] Issue #45; Deregistration vs. Foreign-Home Authentication failure
  - From: Kent Leung

Prev by Date: [Mip4] RE: [Mip6] NAT traversal and cellular network administrative filtering
Next by Date: Re: [Mip4] Issue #45; Seeking closure for on deregistration with FHAE
Previous by thread: Re: [Mip4] Issue #45; Deregistration vs. Foreign-Home Authentication failure
Next by thread: Re: [Mip4] Issue #45; Seeking closure for on deregistration with FHAE
Index(es):
- Date
- Thread

[Mip4] Issue #45; Seeking closure for on deregistration with FHAE

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.