[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [savi] IKEv2 address assignment method and SAVI

From: "Guang Yao" <yaoa02 at mails.tsinghua.edu.cn>
To: <savi at ietf.org>
Date: Tue, 10 Nov 2009 13:36:56 +0900
In-reply-to: <729b68be0911091820t53301ed0s355a748f6fcb05b5 at mail.gmail.com>
References: <729b68be0911091820t53301ed0s355a748f6fcb05b5 at mail.gmail.com>

Hi, JMC

I really think this is an important scenario. And as a minor supplement, not
only the HA should filter spoofing of HoA, but also the MN MUST permit the
packets with source HoA(with no DAD or DHCP, either).

I think this scenario should be included in the framework.

Pre-registered address(static address, HoA), should have the highest
priority. This means it cannot be hijacked using any other kind of
mechanism, but only manual configuration on SAVI device.

Best regards,
Guang

> -----Original Message-----
> From: savi-bounces at ietf.org [mailto:savi-bounces at ietf.org] On Behalf Of
> Jean-Michel Combes
> Sent: Tuesday, November 10, 2009 11:21 AM
> To: savi at ietf.org
> Subject: [savi] IKEv2 address assignment method and SAVI
> 
> Hi,
> 
> as promised yesterday, here is an email regarding IKEv2 address
> assignment method and SAVI interaction. The scenario I have in mind is
> concerning Mobile IPv6 bootstrapping [RFC5026] where the Home Agent
> (HA) is providing the Home Address (HoA) to the Mobile Node (MN) via
> IKEv2.
> 
> I assume the following architecture where the HA is the default router
> (and also a SAVI device) and the MN is on a Foreign Network (i.e. out
> of its Home Network).
> 
> 	Internet-----MN
> 	  |
> 	+----+
> 	| HA |
> 	+----+
> 	  |
>     --------------------------- Home Network
> 			|
>        	             Node
> 
> In this scenario, the HA will provide the HoA to the MN even if the MN
> is outside of its Home Network (the HoA is linked to the Home Network,
> i.e. the network prefix of the HoA is advertised on the Home Network).
> Unlike SLAAC or DHCP address assignment methods, there is no signaling
> on the Home Network (i.e. all the exchanges are done via IKEv2
> directly between the HA and the MN) and there is no DAD process.
> 
> The HA, as a SAVI device, should be able to block any flow coming from
> a Node on the Home Network that tries to spoof the MN's HoA and
> present proposals (i.e. FCFS, DHCP, SEND, etc.) may not be applied
> (worse, IMHO, FCFS mechanism may corrupt the SAVI policy database)
> because there is no signaling on the Home Network.
> 
> Comments are welcome.
> 
> Thanks in advance.
> 
> Best regards.
> 
> JMC.
> _______________________________________________
> savi mailing list
> savi at ietf.org
> https://www.ietf.org/mailman/listinfo/savi

Follow-Ups:
- Re: [savi] IKEv2 address assignment method and SAVI
  - From: Jean-Michel Combes

References:
- [savi] IKEv2 address assignment method and SAVI
  - From: Jean-Michel Combes

Prev by Date: Re: [savi] Consensus call on adopting draft-bi-savi-dhcp-00
Next by Date: [savi] Add an IPv4 section into the SLAAC doc?
Previous by thread: [savi] IKEv2 address assignment method and SAVI
Next by thread: Re: [savi] IKEv2 address assignment method and SAVI
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.