Re: [Mip4] Comments on draft-ietf-mip4-dsmipv4-07.txt

To: "Vijay Devarapalli" <vijay at wichorus.com>
Subject: Re: [Mip4] Comments on draft-ietf-mip4-dsmipv4-07.txt
From: "George Tsirtsis" <tsirtsis at googlemail.com>
Date: Wed, 5 Nov 2008 08:57:10 +0000
Cc: mip4 at ietf.org, Jari Arkko <jari.arkko at piuha.net>, Yaron Sheffer <yaronf at checkpoint.com>
Delivered-to: ietfarch-mip4-web-archive at core3.amsl.com
Delivered-to: mip4 at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=+fR6mEGUkvEXAZi+Mc4z+hZv1zeod7B+NvVXTZwGdSo=; b=IJu324XpNyp9KB4OSea6bnak+ciWWaMLyB233QTyWEe2X/i/izkUKUG7gWaFHe2Orn 3qm0mb15UPTEel3Lz++CY5JSZ03vjJlGLMxtfVAIVllAmlGxRnqRfhloQ2f6EVV1Ai6+ NuKpRWZWyhISyEDPpoUjliHUxr5mJF+ADqxeE=
Domainkey-signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=CHzn5nlgEF0/cTNJsuBurbghh2tA0dQSGsSYcfuLl5YO5xBcFU1+6HyD6581bnf0e8 YyTnPoi85qF80a0OzFhmbpirJtYI8kKlQ/9pXF6f/jPDNEN3P5M0H+pMlQqBKqqGV6WY MDQL2SGQX87OQ6NHuxrT5fruYeDNXsYeFucqM=
In-reply-to: <DE33046582DF324092F2A982824D6B0304A0BD94 at mse15be2.mse15.exchange.ms>
List-archive: <https://www.ietf.org/mailman/private/mip4>
List-help: <mailto:mip4-request@ietf.org?subject=help>
List-id: Mobility for IPv4 <mip4.ietf.org>
List-post: <mailto:mip4@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=unsubscribe>
References: <DE33046582DF324092F2A982824D6B0304A0BD94 at mse15be2.mse15.exchange.ms>
Sender: mip4-bounces at ietf.org

On Wed, Nov 5, 2008 at 1:39 AM, Vijay Devarapalli <vijay at wichorus.com> wrote:
> Hi George,
>
> Section 4.3.2 of draft-ietf-mip4-dsmipv4-07.txt has the following text
>
>   The home agent SHOULD check that all inner IPv6 packets received from
>   the mobile node over a tunnel with outer source address the home
>   address or the care-of address, include a source address that falls
>   under the registered IPv6 prefix(es) for that mobile node.  If the
>   source address of the outer header of a tunneled packet is not the
>   registered IPv4 care-of address or the registered IPv4 home
>   addresses, the packet SHOULD be dropped.  If the source address of
>   the inner header of an tunneled packet does not match any of the
>   registered prefixes the packet SHOULD be dropped.
>
> Why does this say "the packet SHOULD be dropped"? It should say "MUST",
> right? IMO, the home agent should strictly enforce ingress filtering on
> the source address that the mobile node can use for the inner IPv6
> packets.
>

GT> SHOULD is the right language here IMO since this is not an
interoperability issue. SHOULD always means that one should do this
unless they have a very good reason not to.

> The following text in section 4.5 needs a minor correction.
>
>      If the code field is set to "1" then the mobile node MUST act as
>      follows:
>
>      - If the care-of address mode of operation is used, the mobile
>      node MUST be prepared to send/receive IPv6 traffic on its
>      interface natively (i.e., without any Mobile IP related tunnel
>      headers).  If reverse tunneling is negotiated, then IPv6 traffic
>      sent by the mobile node may be reverse tunneled via the foreign
>      agent using either the direct delivery style or the encapsulating
>      delivery style as defined in [RFC3024] for IPv4 traffic.
>
> I assume you are talking about FA care-of address mode. So the paragraph
> should say
>
>      - If the foreign agent care-of address mode of operation is used
> ....

GT> Yes, thanks.

>
> Finally we might need to explain in more detail what happens when the
> foreign agent is a VPN gateway as described in RFC 5265. I believe Yaron
> raised this issue. In case you set the code in the IPv6 Prefix Reply
> Extension to "1" in foreign agent care-of address mode, then the IPv6
> packets for the mobile node would actually be encapsulated in an IPsec
> tunnel between the MN and the VPN GW, instead of being sent as native
> IPv6 packets. So we might need a short paragraph describing this.
>

GT> We already discussed with Yaron and agreed to add language wrt
security devices in general being aware of the new encapsulations
defined in this spec.

Thanks

> Vijay
>
--
Mip4 mailing list: Mip4 at ietf.org
    Web interface: https://www.ietf.org/mailman/listinfo/mip4
     Charter page: http://www.ietf.org/html.charters/mip4-charter.html
Supplemental site: http://www.mip4.org/

Follow-Ups:
- Re: [Mip4] Comments on draft-ietf-mip4-dsmipv4-07.txt
  - From: Vijay Devarapalli

References:
- [Mip4] Comments on draft-ietf-mip4-dsmipv4-07.txt
  - From: Vijay Devarapalli

Prev by Date: [Mip4] Comments on draft-ietf-mip4-dsmipv4-07.txt
Next by Date: Re: [Mip4] Comments on draft-ietf-mip4-dsmipv4-07.txt
Previous by thread: [Mip4] Comments on draft-ietf-mip4-dsmipv4-07.txt
Next by thread: Re: [Mip4] Comments on draft-ietf-mip4-dsmipv4-07.txt
Index(es):
- Date
- Thread

Re: [Mip4] Comments on draft-ietf-mip4-dsmipv4-07.txt

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.