[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [savi] IKEv2 address assignment method and SAVI

From: Jean-Michel Combes <jeanmichel.combes at gmail.com>
To: Guang Yao <yaoa02 at mails.tsinghua.edu.cn>
Cc: savi at ietf.org
Date: Fri, 20 Nov 2009 11:03:15 +0100
In-reply-to: <004701ca61bf$6fda3660$4f8ea320$ at tsinghua.edu.cn>
References: <729b68be0911091820t53301ed0s355a748f6fcb05b5 at mail.gmail.com> <004701ca61bf$6fda3660$4f8ea320$ at tsinghua.edu.cn>

Hi Guang,

at first, sorry for the delayed reply and thanks for your comment.

2009/11/10 Guang Yao <yaoa02 at mails.tsinghua.edu.cn>:
> Hi, JMC
>
> I really think this is an important scenario. And as a minor supplement, not
> only the HA should filter spoofing of HoA, but also the MN MUST permit the
> packets with source HoA(with no DAD or DHCP, either).

Sorry, but I don't understand your point here :(

Best regards.

JMC.

>
> I think this scenario should be included in the framework.
>
> Pre-registered address(static address, HoA), should have the highest
> priority. This means it cannot be hijacked using any other kind of
> mechanism, but only manual configuration on SAVI device.
>
> Best regards,
> Guang
>
>> -----Original Message-----
>> From: savi-bounces at ietf.org [mailto:savi-bounces at ietf.org] On Behalf Of
>> Jean-Michel Combes
>> Sent: Tuesday, November 10, 2009 11:21 AM
>> To: savi at ietf.org
>> Subject: [savi] IKEv2 address assignment method and SAVI
>>
>> Hi,
>>
>> as promised yesterday, here is an email regarding IKEv2 address
>> assignment method and SAVI interaction. The scenario I have in mind is
>> concerning Mobile IPv6 bootstrapping [RFC5026] where the Home Agent
>> (HA) is providing the Home Address (HoA) to the Mobile Node (MN) via
>> IKEv2.
>>
>> I assume the following architecture where the HA is the default router
>> (and also a SAVI device) and the MN is on a Foreign Network (i.e. out
>> of its Home Network).
>>
>>       Internet-----MN
>>         |
>>       +----+
>>       | HA |
>>       +----+
>>         |
>>     --------------------------- Home Network
>>                       |
>>                            Node
>>
>> In this scenario, the HA will provide the HoA to the MN even if the MN
>> is outside of its Home Network (the HoA is linked to the Home Network,
>> i.e. the network prefix of the HoA is advertised on the Home Network).
>> Unlike SLAAC or DHCP address assignment methods, there is no signaling
>> on the Home Network (i.e. all the exchanges are done via IKEv2
>> directly between the HA and the MN) and there is no DAD process.
>>
>> The HA, as a SAVI device, should be able to block any flow coming from
>> a Node on the Home Network that tries to spoof the MN's HoA and
>> present proposals (i.e. FCFS, DHCP, SEND, etc.) may not be applied
>> (worse, IMHO, FCFS mechanism may corrupt the SAVI policy database)
>> because there is no signaling on the Home Network.
>>
>> Comments are welcome.
>>
>> Thanks in advance.
>>
>> Best regards.
>>
>> JMC.
>> _______________________________________________
>> savi mailing list
>> savi at ietf.org
>> https://www.ietf.org/mailman/listinfo/savi
>
> _______________________________________________
> savi mailing list
> savi at ietf.org
> https://www.ietf.org/mailman/listinfo/savi
>

References:
- [savi] IKEv2 address assignment method and SAVI
  - From: Jean-Michel Combes
- Re: [savi] IKEv2 address assignment method and SAVI
  - From: Guang Yao

Prev by Date: Re: [savi] IKEv2 address assignment method and SAVI
Next by Date: Re: [savi] MIPv6 and SAVI
Previous by thread: Re: [savi] IKEv2 address assignment method and SAVI
Next by thread: Re: [savi] IKEv2 address assignment method and SAVI
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.