Re: [Mip4] WGLC: draft-ietf-mip4-generic-notification-message-04.txt

To: Ahmad Muhanna <amuhanna at nortel.com>
Subject: Re: [Mip4] WGLC: draft-ietf-mip4-generic-notification-message-04.txt
From: Sri Gundavelli <sgundave at cisco.com>
Date: Tue, 15 Jul 2008 07:53:56 -0700 (PDT)
Authentication-results: sj-dkim-4; header.From=sgundave at cisco.com; dkim=pass ( sig from cisco.com/sjdkim4002 verified; );
Cc: Hui Deng <denghui02 at gmail.com>, Brian Haley <brian.haley at hp.com>, mip4 at ietf.org, Vijay Devarapalli <vijay at wichorus.com>, Henrik Levkowetz <henrik at levkowetz.com>
Delivered-to: ietfarch-mip4-web-archive at core3.amsl.com
Delivered-to: mip4 at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=2622; t=1216133637; x=1216997637; c=relaxed/simple; s=sjdkim4002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=sgundave at cisco.com; z=From:=20Sri=20Gundavelli=20<sgundave at cisco.com> |Subject:=20Re=3A=20[Mip4]=20WGLC=3A=20draft-ietf-mip4-gene ric-notification-message-04.txt |Sender:=20; bh=0PVV/SO8dJ3pU/4irW7aOsORYhDCTaz99KtDP9fIZXY=; b=MWuZlbT5xLpkhjq7UYU7fl9Iw4gfN4FCW3m2aGjYtwzbIN2JTOsTjtIJsz CnFUGLk4807Dt7TCHC4rgb+kj93hvPDqOl6HAGU2B5yUKjRdKOtUjdSBMsYW mSHkPnavRt;
In-reply-to: <C5A96676FCD00745B64AE42D5FCC9B6E196C63AC@zrc2hxm0.corp.nortel.com>
List-archive: <https://www.ietf.org/mailman/private/mip4>
List-help: <mailto:mip4-request@ietf.org?subject=help>
List-id: Mobility for IPv4 <mip4.ietf.org>
List-post: <mailto:mip4@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=unsubscribe>
References: <C5A96676FCD00745B64AE42D5FCC9B6E196C63AC@zrc2hxm0.corp.nortel.com>
Sender: mip4-bounces at ietf.org


inline ...



On Tue, 15 Jul 2008, Ahmad Muhanna wrote:


1. In your proposal, you are proposing an end-to-end signaling between
the following nodes:
1.1. MN-HA and HA-MN, this the only scenario that is relevant to
RFC3344.
1.2. MN-FA and FA-MN, this scenario is NOT addressed in RFC3344 and THUS
it is new with new security architecture and requirement that you MUST
clearly identify and address. Although, it may sound as if RFC3344 is
addressing this case but it is NOT.
1.3. FA-HA and HA-FA, this scenario is NOT addressed in RFC3344 and THUS
it is new with new security architecture and requirement that you MUST
clearly identify and address. The more relevant document in here is
RFC3543.

I do not understand the logic here, or your ideas on 3344 SecurityArchitecture. Couple of points:



HA, FA and MN are the mobility entities. The protocol defines
security mechanism to secure messages at each hop.

- Between FA and MN, in the form of MFAE and there also 4721.
- Between FA and HA in the form of FHAE
- Betweem MN and HA in the form of MHAE

Some of these extensions in some scenarios may be optional, it
does not imply, there cannot be signaling between those mobility
entities.

FA is not a passive node as you put it. Its not a on-path router
or a random node in the network. Its is a mobility agent. When
a mobile node's registration sent through a FA is accepted, the
state that is created on the HA and FA have relationship. Each
of those agents should be able to signal the other agent with
respect to those states. An example is Revocation signaling
which is allowed between all mobility agents. As long as there
is mechanism to secure signaling between those mobility agents
and as long as the signaling is w..r.t the state associated with
the same set of mobile nodes, it is perfectly valid to allow
signaling between those agents. FHAE may be optional on a
message secured by mobile node, it does not mean we cannot
mandate the use of FHAE when a signaling message originates from
HA to FA or vicerversa.

Finally, on RFC 3344's Security Architecture, its all about a
configured security association between any two mobility agents. As
long as there is a SA configured, it is sufficient to secure the
signaling messages between those two agents. If the protocol did
not mandate the use of that security in some paths and for some
signaling, it does not mean that it cannot be enabled for some
other signaling, such as Generic Notification and this does not mean
it requires a new security architecture.

Sri





--
Mip4 mailing list: Mip4 at ietf.org
   Web interface: https://www.ietf.org/mailman/listinfo/mip4
    Charter page: http://www.ietf.org/html.charters/mip4-charter.html
Supplemental site: http://www.mip4.org/

Follow-Ups:
- Re: [Mip4] WGLC: draft-ietf-mip4-generic-notification-message-04.txt
  - From: Ahmad Muhanna

References:
- Re: [Mip4] WGLC: draft-ietf-mip4-generic-notification-message-04.txt
  - From: Ahmad Muhanna

Prev by Date: Re: [Mip4] WGLC: draft-ietf-mip4-generic-notification-message-04.txt
Next by Date: Re: [Mip4] WGLC: draft-ietf-mip4-generic-notification-message-04.txt
Previous by thread: Re: [Mip4] WGLC: draft-ietf-mip4-generic-notification-message-04.txt
Next by thread: Re: [Mip4] WGLC: draft-ietf-mip4-generic-notification-message-04.txt
Index(es):
- Date
- Thread

Re: [Mip4] WGLC: draft-ietf-mip4-generic-notification-message-04.txt

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.