Soliman, Hesham | 1 Nov 01:54 2006

RE: concensus: issue 76: Alt CoA should not be used when traversingIPv4 NAT

Hi Ryuji, 

Sounds good. I can assure you that we can protect the CoA, I want the
same thing. I just wanted to put aside the question for the moment. But
I definitely want to protect it.

Hesham 

 > -----Original Message-----
 > From: RYUJI WAKIKAWA [mailto:ryuji.wakikawa <at> gmail.com] 
 > Sent: Wednesday, November 01, 2006 2:25 AM
 > To: Soliman, Hesham
 > Cc: Pascal Thubert (pthubert); mip6 <at> ietf.org
 > Subject: Re: [Mip6] concensus: issue 76: Alt CoA should not 
 > be used when traversingIPv4 NAT
 > 
 > Hello Hesham
 > 
 > Yes and No.
 > Sorry, but it's hard to tell without concerning checksum and  
 > integrity issue..
 > 
 > It depends on how we provide integrity check to IPv4 CoA.
 > If there is a way to solve this, i don't mind to omit ACoA.
 > 
 > Otherwise, no.
 > We should protect IPv4 CoA by ACoA, even if it is valid only
 > when MN roams in global IPv4 access network.
 > If the src address and the IPv4 CoA in an ACoA option are 
 > different,  
(Continue reading)

Vijay Devarapalli | 1 Nov 03:15 2006

Re: WG LC: Yoshihiro Ohba's review

Gerardo Giaretta wrote:

>>    G5.2  The AAAH SHOULD be able to indicate to the HA if the MN is
>>       authorized to autoconfigure its Home Address.
>>
>> YO: Why this is not "MUST be able to"?
>>
> 
> I'll fix it.

this might be specific to the home agent. basically
the AAAH might not care whether the HA assigns the
home address or if the HA allows the MN to
autoconfigure the home address. so I don't think we
should have a "MUST" here.

>>    G6.2  The NAS SHOULD be able to notify that it supports the
>>       functionalities described in [4].
>>
>> YO: The NAS notifies to whom?  I guess the NAS notifies AAAH server of
>> the functionalities.  If so, please explicitly mention it.  Also why
>> this is not "MUST be able to"?
>>
> 
> ok, I'll fix it

again, should this be a MUST? I don't think we
should be requiring the NAS to be able to tell the
AAAH that it can support this functionality. Kuntal?

(Continue reading)

Sri Gundavelli | 1 Nov 03:37 2006
Picon

Re: RE: concensus: issue 76: Alt CoA should not be used when traversingIPv4 NAT


I support this. I agree with Pascal's explanation on
this.

1. Yes

On Tue, 31 Oct 2006, Pascal Thubert (pthubert) wrote:

> 1) Yes ...
>
>> -----Original Message-----
>> From: Soliman, Hesham [mailto:hsoliman <at> qualcomm.com]
>> Sent: Tuesday, October 31, 2006 2:11 PM
>> To: Pascal Thubert (pthubert); mip6 <at> ietf.org
>> Subject: concensus: issue 76: Alt CoA should not be used when
> traversingIPv4 NAT
>>
>> Pascal, all,
>>
>> There's been a lot of emails on this issue so I think WG members are
>> fully informed now about what this issue involves. I will ask a simple
>> question and I'd like people to choose one of the options below. To
>> avoid any confusion I'm keeping the question simple and clear.
>>
>> Leaving the checksum option and integrity issue aside (because I know
> we
>> can fix it and I'm writing a separate issue for it) please let give me
>> an answer to the following question:
>>
>> Do you agree that the MN does not include the Alt-CoA option in the BU
(Continue reading)

Yoshihiro Ohba | 1 Nov 03:40 2006

Re: WG LC: Yoshihiro Ohba's review

Hi Vijay,

What I meant in my comment was that these requirements seem to
indicate "mandatory-to-support and optional-to-use" features, and thus
I thought it is better to say "MUST be able to" than "SHOULD be able
to".  Perhaps we could simply say:

G5.2 The AAAH MAY indicate to the HA if the MN is authorized to
autoconfigure its Home Address.

G6.2 The NAS MAY notify that it supports the functionalities described
in [4].

Yoshihiro Ohba

On Tue, Oct 31, 2006 at 06:15:51PM -0800, Vijay Devarapalli wrote:
> Gerardo Giaretta wrote:
> 
> >>   G5.2  The AAAH SHOULD be able to indicate to the HA if the MN is
> >>      authorized to autoconfigure its Home Address.
> >>
> >>YO: Why this is not "MUST be able to"?
> >>
> >
> >I'll fix it.
> 
> this might be specific to the home agent. basically
> the AAAH might not care whether the HA assigns the
> home address or if the HA allows the MN to
> autoconfigure the home address. so I don't think we
(Continue reading)

Narayanan, Vidya | 1 Nov 04:05 2006

RE: concensus: issue 76: Alt CoA should not be usedwhen traversingIPv4 NAT

All,
I just caught up with the long list of emails on this issue. Basically,
I think 1) makes sense, since in an IPv4 network, there is no prediction
of when the packets may pass through a NAT and when they may not.  

Vijay, I'm confused by your choice here. Either the tampering of a CoA
needs to be detectable or it doesn't - applying a threat model where it
is sometimes needed (i.e., when there are no NATs) and at other times a
don't care (i.e., when there are NATs) is not making any sense to me. 

That said, I'd make a couple of observations - I think detecting the
tampering of a CoA is important in all cases, regardless of whether
there is a NAT or not. But, I am not yet sure that the checksum approach
solves it the best way (checksum is certainly not a cryptographic
guarantee). I'll think about it more - at the moment, I'm not confident
enough to make that leap :) 

Thanks,
Vidya

> -----Original Message-----
> From: Vijay Devarapalli [mailto:vijay.devarapalli <at> azairenet.com] 
> Sent: Tuesday, October 31, 2006 11:26 AM
> To: Soliman, Hesham
> Cc: mip6 <at> ietf.org; Pascal Thubert (pthubert)
> Subject: Re: [Mip6] concensus: issue 76: Alt CoA should not 
> be usedwhen traversingIPv4 NAT
> 
> Soliman, Hesham wrote:
> > Pascal, all,
(Continue reading)

Vijay Devarapalli | 1 Nov 04:48 2006

Re: concensus: issue 76: Alt CoA should not be usedwhen traversingIPv4 NAT

well, if there is a NAT on the path the source
address on the outer IPv4 header is modified.
anytime a packet goes through a NAT, we have
this problem. this is a common problem. so I
don't think we should design a DS-MIPv6
specific mechanism to protect  an address that
is modified by the NAT. its not worth it.

when there is no NAT, the use of altCoA or the
IPv4 CoA option provides automatic integrity
protection to the care-of address. thats all.

Vijay

Narayanan, Vidya wrote:
> All,
> I just caught up with the long list of emails on this issue. Basically,
> I think 1) makes sense, since in an IPv4 network, there is no prediction
> of when the packets may pass through a NAT and when they may not.  
> 
> Vijay, I'm confused by your choice here. Either the tampering of a CoA
> needs to be detectable or it doesn't - applying a threat model where it
> is sometimes needed (i.e., when there are no NATs) and at other times a
> don't care (i.e., when there are NATs) is not making any sense to me. 
> 
> That said, I'd make a couple of observations - I think detecting the
> tampering of a CoA is important in all cases, regardless of whether
> there is a NAT or not. But, I am not yet sure that the checksum approach
> solves it the best way (checksum is certainly not a cryptographic
> guarantee). I'll think about it more - at the moment, I'm not confident
(Continue reading)

Soliman, Hesham | 1 Nov 04:53 2006

RE: concensus: issue 76: Alt CoA should not be usedwhen traversingIPv4 NAT


 > well, if there is a NAT on the path the source
 > address on the outer IPv4 header is modified.
 > anytime a packet goes through a NAT, we have
 > this problem. this is a common problem. so I
 > don't think we should design a DS-MIPv6
 > specific mechanism to protect  an address that
 > is modified by the NAT. its not worth it.

=> You keep repeating that and I keep answering as follows: If there is
an alt-coa in the packet then the HA has no way of knowing if there was
a NAT or not without checking it first, it can't simply compare the
outer headers...Again, this has nothing to do with the presence of the
NAT and everything to do with the presence of the alt-CoA...

So it makes zero sense to say that the "HA should ignore the alt-coa if
a NAT were detected" because the HA can't possibly know that a NAT was
en route without inspecting the alt-coa....

Hesham
Vijay Devarapalli | 1 Nov 05:00 2006

Re: concensus: issue 76: Alt CoA should not be usedwhen traversingIPv4 NAT

Soliman, Hesham wrote:
>  > well, if there is a NAT on the path the source
>  > address on the outer IPv4 header is modified.
>  > anytime a packet goes through a NAT, we have
>  > this problem. this is a common problem. so I
>  > don't think we should design a DS-MIPv6
>  > specific mechanism to protect  an address that
>  > is modified by the NAT. its not worth it.
> 
> => You keep repeating that and I keep answering as follows: If there is
> an alt-coa in the packet then the HA has no way of knowing if there was
> a NAT or not without checking it first, it can't simply compare the
> outer headers...

I actually agree with this. :)

Again, this has nothing to do with the presence of the
> NAT and everything to do with the presence of the alt-CoA...
> 
> So it makes zero sense to say that the "HA should ignore the alt-coa if
> a NAT were detected" because the HA can't possibly know that a NAT was
> en route without inspecting the alt-coa....

hmmm... there is a misunderstanding. I didn't
say ignore the alt-CoA option. I said the HA
should not use the contents of the altCoA
option as the CoA when it detects a NAT.

it does not matter if the HA compares the source
address on the outer IPv4 header with the source
(Continue reading)

Soliman, Hesham | 1 Nov 05:08 2006

Resolution: [issue66] Setting up forwarding for IPv4 HoA

Ok with me too.

Folks, this issue is now closed.

Thanks for your feedback.

Hesham 

 > -----Original Message-----
 > From: RYUJI WAKIKAWA [mailto:ryuji.wakikawa <at> gmail.com] 
 > Sent: Wednesday, November 01, 2006 2:28 AM
 > To: Pascal Thubert ((pthubert))
 > Cc: Soliman, Hesham; Vijay Devarapalli; mip6 <at> ietf.org
 > Subject: Re: [Mip6] Re: [issue66] Setting up forwarding for IPv4 HoA
 > 
 > Hi Pascal,
 > 
 > I am fine with both texts.
 > And same for the option name.
 > 
 > ryuji
 > 
 > On 2006/10/30, at 21:54, Pascal Thubert ((pthubert)) wrote:
 > 
 > > Just to make sure on what the agreement is:
 > >
 > > 1) There are 2 paragraphs in the original text that we 
 > want to update
 > >
 > > "
(Continue reading)

Narayanan, Vidya | 1 Nov 07:36 2006

RE: concensus: issue 76: Alt CoA should not be usedwhen traversingIPv4 NAT


I don't understand something here. Why would ESP tunnel mode not provide
the needed protection? Given that we already have two IP headers in this
case, it isn't even adding any overhead. I can't see why we need
anything else. 

I can understand not wanting to impose AH, but I don't see ESP tunnel
mode as a restriction at all. 

So, the headers would simply be:

  IPv4 HDR (src=natted-v4, dst=HA-addr)
       UDP
          ESP
	      IPv6 HDR (src=v4-mapped-v6, dst=HA-addr)
              DST-OPT
              MH (BU)

What's the problem with that? 

Vidya

> -----Original Message-----
> From: Vijay Devarapalli [mailto:vijay.devarapalli <at> azairenet.com] 
> Sent: Tuesday, October 31, 2006 8:00 PM
> To: Soliman, Hesham
> Cc: Narayanan, Vidya; mip6 <at> ietf.org; Pascal Thubert (pthubert)
> Subject: Re: [Mip6] concensus: issue 76: Alt CoA should not 
> be usedwhen traversingIPv4 NAT
> 
(Continue reading)


Gmane