Re: [Mip4] RFC 3344 - Home Agent Registration Code 132 -foreignagent failed authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Mip4] RFC 3344 - Home Agent Registration Code 132 -foreignagent failed authentication

To: "Kent Leung (kleung)" <kleung at cisco.com>
Subject: Re: [Mip4] RFC 3344 - Home Agent Registration Code 132 -foreignagent failed authentication
From: "Charles E. Perkins" <charles.perkins at earthlink.net>
Date: Mon, 25 Aug 2008 13:32:10 -0700
Cc: Mobile IPv4 Mailing List <mip4 at ietf.org>, Ahmad Muhanna <amuhanna at nortel.com>
Delivered-to: ietfarch-mip4-web-archive at core3.amsl.com
Delivered-to: mip4 at core3.amsl.com
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=earthlink.net; b=sOgpZ0W5OX5X4V846LeMKJU0L5OBvOM7LKPLJKtTpYe0VGmDdKD6e7Zx/0Ac+LhW; h=Received:Message-ID:Date:From:Organization:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding:X-ELNK-Trace:X-Originating-IP;
In-reply-to: <2979E38DD6FC6544B789C8DAD7BAFC5206BF83C2 at xmb-sjc-235.amer.cisco.com>
List-archive: <https://www.ietf.org/mailman/private/mip4>
List-help: <mailto:mip4-request@ietf.org?subject=help>
List-id: Mobility for IPv4 <mip4.ietf.org>
List-post: <mailto:mip4@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=unsubscribe>
Organization: Wichorus Inc.
References: <2979E38DD6FC6544B789C8DAD7BAFC5206BF83C2 at xmb-sjc-235.amer.cisco.com>
Sender: mip4-bounces at ietf.org
User-agent: Thunderbird 2.0.0.16 (Windows/20080708)

Hello Kent,

I think there are several cases, and that each case could
likely have different answers.  The original issue was about
the FA-HA authentication, but I agree with you that the
case of the MN-HA authentication is important.

I think these are the relevant cases, with some
suggested actions for each case.
- FA-HA authentication fails:
    -- FA-HA SA exists ==>  MAY send #132
    -- no FA-HA SA  ==>  MUST silently drop

- MN-HA authentication fails, no FA-HA SA:
    -- MN-HA SA exists ==>  MAY send #131
    -- no MN-HA SA  ==>  MUST silently drop

- MN-HA authentication fails, FA-HA authentication:
    -- MN-HA SA exists ==>  MUST send #131
    -- no MN-HA SA  ==>  MUST silently drop

Here, in the last case when there is no SA with the
mobile node, the foreign agent can soon clean up
its pending registration list.  Since the FA has
proved its identity to the HA, it could eventually
infer by the lack of RREQs from the HA, even
after retries by the MN, that the MN was not
known to the home agent.

Another possibility would be to assign a new error
code for a RREQ that was purely for the purpose of
notifying the FA that the mobile node was unknown.
Then the FA would not forward this RREQ to the
MN, but just expunge its pending registration entry.

What do you think?

Regards,
Charlie P.

Kent Leung (kleung) wrote:
> Hi Ahmad.  Yes, a similar remark was made in this thread already.
> Anyways, just wanted to point out this issue is more applicable to MHAE.
>
> Kent 
>
> -----Original Message-----
> From: Ahmad Muhanna [mailto:amuhanna at nortel.com] 
> Sent: Friday, August 22, 2008 10:13 AM
> To: Kent Leung (kleung); Charles E. Perkins; Mobile IPv4 Mailing List
> Cc: George Tsirtsis; Acee Lindem
> Subject: RE: [Mip4] RFC 3344 - Home Agent Registration Code 132
> -foreignagent failed authentication
>
> Hi Kent,
>
>   
>> Anyways, I'm not sure how my quoted comment was interpreted as a 
>> "MAY"?
>> A response from the HA (when it has a FA-HA security
>> association) to the FA has been userful in deployments.  
>> There isn't likely a DoS from FA.
>>     
>
> [Ahmad]
> Sure, any behaving node will not cause a DoS attack. The problem is from
> an attacker claiming that it is an honest FA. I am not trying to open
> this topic for discussion again, but I am strictly commenting on your
> above statement.
>
> Cheers!
> Ahmad
>
>   
>> I think the more relevant issue is with the MN-HA authentication 
>> rejection.  The current text contains:
>>
>>     

-- 
Mip4 mailing list: Mip4 at ietf.org
    Web interface: https://www.ietf.org/mailman/listinfo/mip4
     Charter page: http://www.ietf.org/html.charters/mip4-charter.html
Supplemental site: http://www.mip4.org/

Follow-Ups:
- Re: [Mip4] RFC 3344 - Home Agent Registration Code 132 -foreignagent failed authentication
  - From: Kent Leung (kleung)

References:
- Re: [Mip4] RFC 3344 - Home Agent Registration Code 132 -foreignagent failed authentication
  - From: Kent Leung (kleung)

Prev by Date: Re: [Mip4] RFC 3344 - Home Agent Registration Code 132 -foreignagent failed authentication
Next by Date: Re: [Mip4] RFC 3344 - Home Agent Registration Code 132 -foreignagent failed authentication
Previous by thread: Re: [Mip4] RFC 3344 - Home Agent Registration Code 132 -foreignagent failed authentication
Next by thread: Re: [Mip4] RFC 3344 - Home Agent Registration Code 132 -foreignagent failed authentication
Index(es):
- Date
- Thread

Re: [Mip4] RFC 3344 - Home Agent Registration Code 132 -foreignagent failed authentication

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.