Re: [Mip4] RFC 3344 - Home Agent Registration Code 132 -foreignagent failed authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Mip4] RFC 3344 - Home Agent Registration Code 132 -foreignagent failed authentication

To: "Charles E. Perkins" <charles.perkins at earthlink.net>
Subject: Re: [Mip4] RFC 3344 - Home Agent Registration Code 132 -foreignagent failed authentication
From: "Kent Leung (kleung)" <kleung at cisco.com>
Date: Mon, 25 Aug 2008 15:15:44 -0700
Authentication-results: sj-dkim-4; header.From=kleung at cisco.com; dkim=pass ( sig from cisco.com/sjdkim4002 verified; );
Cc: Mobile IPv4 Mailing List <mip4 at ietf.org>, Ahmad Muhanna <amuhanna at nortel.com>
Delivered-to: ietfarch-mip4-web-archive at core3.amsl.com
Delivered-to: mip4 at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=2438; t=1219702546; x=1220566546; c=relaxed/simple; s=sjdkim4002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=kleung at cisco.com; z=From:=20=22Kent=20Leung=20(kleung)=22=20<kleung at cisco.com> |Subject:=20RE=3A=20[Mip4]=20RFC=203344=20-=20Home=20Agent= 20Registration=20Code=20132=09-foreignagent=20failed=20authe ntication |Sender:=20; bh=tHX8NHqS83A37Y2mgz2sH4tZsH6K8vts5QdWX6wYvOM=; b=fRiJ6XJ9TKZ2lHzPvMtPVs53NnAfQcRHpmb+cn2X9FsWxOT8XgYCSN4Qs9 Dcma8hj6NgKXJFAEOUTDwq2zuUQZ+iMraSv6OpVnEz64YUkqho0pqMyRzK0p +ICjoHLDwu;
In-reply-to: <48B316CA.3030204 at earthlink.net>
List-archive: <https://www.ietf.org/mailman/private/mip4>
List-help: <mailto:mip4-request@ietf.org?subject=help>
List-id: Mobility for IPv4 <mip4.ietf.org>
List-post: <mailto:mip4@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=unsubscribe>
Sender: mip4-bounces at ietf.org
Thread-index: AckG8bafa/xdFa3aQRiOa/QNtGPfxAAB+UkQ
Thread-topic: [Mip4] RFC 3344 - Home Agent Registration Code 132 -foreignagent failed authentication

Hi Charlie.  Thx for factoring in the existence of SA in handling the
cases.  I think the actions for the the cases below are reasonable.
Just one tweak though.  In the last case, it's better that HA SHOULD
send #131 when MN-HA authentication failed (SA exists) because of the
following reasons:
	- Pending registration entries can be limited so resource
consumption is not an issue
	- Badly behaving MNs that sends unauthenticated RRQs can be
controlled by the above function in addition to L2 association checks
	- Allow flexibility for HA to not respond to RRQ which failed
MN-HA authentication

I'm ok with MUST if other folks feel strongly using this language vs.
SHOULD for the reasons above.

Kent 

-----Original Message-----
From: mip4-bounces at ietf.org [mailto:mip4-bounces at ietf.org] On Behalf Of
Charles E. Perkins
Sent: Monday, August 25, 2008 1:32 PM
To: Kent Leung (kleung)
Cc: Mobile IPv4 Mailing List; Ahmad Muhanna
Subject: Re: [Mip4] RFC 3344 - Home Agent Registration Code 132
-foreignagent failed authentication


Hello Kent,

I think there are several cases, and that each case could likely have
different answers.  The original issue was about the FA-HA
authentication, but I agree with you that the case of the MN-HA
authentication is important.

I think these are the relevant cases, with some suggested actions for
each case.
- FA-HA authentication fails:
    -- FA-HA SA exists ==>  MAY send #132
    -- no FA-HA SA  ==>  MUST silently drop

- MN-HA authentication fails, no FA-HA SA:
    -- MN-HA SA exists ==>  MAY send #131
    -- no MN-HA SA  ==>  MUST silently drop

- MN-HA authentication fails, FA-HA authentication:
    -- MN-HA SA exists ==>  MUST send #131
    -- no MN-HA SA  ==>  MUST silently drop

Here, in the last case when there is no SA with the mobile node, the
foreign agent can soon clean up its pending registration list.  Since
the FA has proved its identity to the HA, it could eventually infer by
the lack of RREQs from the HA, even after retries by the MN, that the MN
was not known to the home agent.

Another possibility would be to assign a new error code for a RREQ that
was purely for the purpose of notifying the FA that the mobile node was
unknown.
Then the FA would not forward this RREQ to the MN, but just expunge its
pending registration entry.

What do you think?

Regards,
Charlie P.

-- 
Mip4 mailing list: Mip4 at ietf.org
    Web interface: https://www.ietf.org/mailman/listinfo/mip4
     Charter page: http://www.ietf.org/html.charters/mip4-charter.html
Supplemental site: http://www.mip4.org/

Follow-Ups:
- Re: [Mip4] RFC 3344 - Home Agent Registration Code 132 -foreignagent failed authentication
  - From: Charles E. Perkins

References:
- Re: [Mip4] RFC 3344 - Home Agent Registration Code 132 -foreignagent failed authentication
  - From: Charles E. Perkins

Prev by Date: Re: [Mip4] RFC 3344 - Home Agent Registration Code 132 -foreignagent failed authentication
Next by Date: Re: [Mip4] AD review of mip4-dsmipv4
Previous by thread: Re: [Mip4] RFC 3344 - Home Agent Registration Code 132 -foreignagent failed authentication
Next by thread: Re: [Mip4] RFC 3344 - Home Agent Registration Code 132 -foreignagent failed authentication
Index(es):
- Date
- Thread

Re: [Mip4] RFC 3344 - Home Agent Registration Code 132 -foreignagent failed authentication

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.