[Mip4] RE: Issue 2: Security Concern in RADIUS Mode: MIPv4 Auth Performance Using RADIUS and Diameter MIPv4 Application draft

["Ahmad Muhanna" <amuhanna at nortel.com>]

Hi Pete,
Please see response inline.

Regards,
Ahmad
 

> -----Original Message-----
> From: McCann Peter-A001034 [mailto:pete.mccann at motorola.com] 
> Sent: Tuesday, August 07, 2007 3:46 PM
> To: Muhanna, Ahmad (RICH1:2H10); dime at ietf.org
> Cc: mip4 at ietf.org; Hannes Tschofenig
> Subject: RE: Issue 2: Security Concern in RADIUS Mode: MIPv4 
> Auth Performance Using RADIUS and Diameter MIPv4 Application draft
> 
> Hi, Ahmad,
> 
> Maybe this is not so big an issue, but one thing that might 
> happen is that the MN can use a different HA address in the 
> re-transmitted RRQ. If there is network policy in place that 
> only allows registering on specific HAs, this policy might be 
> skirted by the retransmission unless the HA address is sent 
> to the RADIUS/Diameter server with every RRQ.

[Ahmad]
We can look at this special case later, but for the sake of this simple
analysis, we need to address the most common simple scenario first. With
the following in mind: "What would the impact be when using Diameter
MIPv4 Application in place of RADIUS model."

Also, usually the MN does not try to register with another HA until the
registration process is timeout. In our case, we are focusing on the
first retransmitted RRQ which usually done after one second.

> 
> I am also concerned about increasing the overall registration 
> time by going from one round-trip to two round-trips.  The 
> nice thing about the existing Diameter application is that it 
> can do both authentication/authorization and MIP registration 
> in one round-trip to the home network.

[Ahmad]
I am sorry I missed this point here. Could you please elaborate a little
further.

> 
> One question: why couldn't we fix the problem by adjusting 
> the retransmission timers upwards?  If we know that AAA adds 
> some additional delay, we could wait a bit longer before 
> retransmitting the request.  This seems to fix the problem. 

[Ahmad]
I agree with you here. It is anticipated that Diameter MIPv4 Application
will take a longer time to complete MIPv4 initial registration. Two
questions: 

1. Why the MN and possibly the network configurations need to change
just for using Diameter MIPv4 Application in place of RADIUS.
2. On the other hand, even if we increase the initial timer a little, we
still do not solve the issue, all what we do is delaying it. 


> 
> -Pete
> 
> Ahmad Muhanna wrote:
> > All,
> > During DIME meeting at IETF-69, Pete raised the point that 
> when RADIUS 
> > relay the re-transmitted RRQ without going to AAA, Pete thinks that 
> > there possibly a security concern.
> > 
> > I would like to start this thread but I would like to let Pete 
> > summarize his concern and we then can discuss it.
> > 
> > Hi Pete,
> > 
> > Could you please summarize the security concern that you 
> raised during 
> > DIME meeting?
> > Many thanks in advance.
> > 
> > Regards,
> > Ahmad
> > 
> > 
> >> -----Original Message-----
> >> From: Hannes Tschofenig [mailto:Hannes.Tschofenig at gmx.net]
> >> Sent: Wednesday, August 01, 2007 4:06 AM
> >> To: dime at ietf.org
> >> Cc: Muhanna, Ahmad (RICH1:2H10)
> >> Subject: MIPv4 Authentication Performance Using RADIUS and Diameter
> >> MIPv4
> >> 
> >> Hi Ahmad,
> >> 
> >> you raised some interesting discussions during the DIME 
> working group 
> >> meeting. Unfortunately, there was not enough time to address all 
> >> questions.
> >> 
> >> I would be great if you could
> >> * summarize your presentation, and
> >> * address some of the raised questions on the mailing list.
> >> 
> >> Ciao
> >> Hannes
> 
> 


--
Mip4 mailing list: Mip4 at ietf.org
    Web interface: https://www1.ietf.org/mailman/listinfo/mip4
     Charter page: http://www.ietf.org/html.charters/mip4-charter.html
Supplemental site: http://www.mip4.org/