headers
Alexandru Petrescu | 2 Jan 2007 10:43

Re: Non-tunnelled Echo Req MN to HA

Vijay Devarapalli wrote:
> Alexandru Petrescu wrote:
>> Vijay Devarapalli wrote:
>>> Mondemu Sreenivasulu-A21119 wrote:
>>>> Sorry, The small correction. It is not very clear from RFC 3775
>>>>  whether it is a expected scenario.
>>> 
>>> RFC 3775 requires the HA to send the Echo Reply back with a 
>>> routing header if the Echo request had the home address option.
>> 
>> Yes, that's fine, 3775 clear on that.
>> 
>> But does 3775 require the _HA_ to send a Binding Error to MN if it
>>  received an EchoReq with DO whose HoA is not in its BC?  The TAHI
>>  certification tests seem to require this.
> 
> No. The Binding Error message is sent only the CN. The TAHI test is 
> valid only if your HA is also a CN.

Ok, so a HA not sending Binding Error to a MN it serves would still be
TAHI-conformant?

>> 3775 does require the _CN_ to do so.  Would HA also send Binding 
>> Errors when EchoReq DO's has a HoA not present its BC?
>> 
>> The 3775 Binding Error text seems to be only about CN, not HA.
>> 
>> This again is a very needed clarification for anybody implementing 
>> an HA.  This clarification is needed together with clarification 
>> whether HA sends Binding Refresh Request or not (3775 says CN
(Continue reading)

Permalink | Reply | 15 comments |
headers
Jari Arkko | 2 Jan 2007 14:13

AD review of draft-ietf-mip6-bootstrapping-split


Hi all,

I have reviewed this specification. Overall, I like
the basic approach and this will be very useful.
The document is generally in good shape.

However, there are a few technical issues
that need to be resolved before we can
move forward. In particular, the authorization
steps need to be specified in greater detail,
and I also had question marks about the
particular approach to anycast.

Also, I have asked the DNS directorate
to review the DNS-relevant parts.

Please find the detailed comments below:

Technical:

>    This
>    implies that the mobility service is bootstrapped independently
>    from the authentication protocol for network access used (e.g.
>    PANA, EAP).
Perhaps you should allow for the possibility
that there is no access authorization. Suggested
edit: "... from the security mechanisms used for
network access (e.g., EAP or even open access)
>    Additionally, the ability to provide a mobile node with a
(Continue reading)

Permalink | Reply | 20 comments |
headers
Internet-Drafts | 2 Jan 2007 21:50
Picon
Favicon

I-D ACTION:draft-ietf-mip6-hiopt-01.txt

A New Internet-Draft is available from the on-line Internet-Drafts 
directories.
This draft is a work item of the Mobility for IPv6 Working Group of the IETF.

	Title		: DHCP Option for Home Information Discovery in MIPv6
	Author(s)	: H. Jang, et al.
	Filename	: draft-ietf-mip6-hiopt-01.txt
	Pages		: 16
	Date		: 2007-1-2
	
This draft defines a DHCP-based scheme to enable dynamic discovery of
   Mobile IPv6 home agent address, home address, and home subnet.  New
   DHCP options are defined to carry the information from a DHCP server
   to the DHCP client running on the mobile node.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-mip6-hiopt-01.txt

To remove yourself from the I-D Announcement list, send a message to 
i-d-announce-request <at> ietf.org with the word unsubscribe in the body of 
the message. 
You can also visit https://www1.ietf.org/mailman/listinfo/I-D-announce 
to change your subscription settings.

Internet-Drafts are also available by anonymous FTP. Login with the 
username "anonymous" and a password of your e-mail address. After 
logging in, type "cd internet-drafts" and then 
"get draft-ietf-mip6-hiopt-01.txt".

A list of Internet-Drafts directories can be found in
(Continue reading)

Permalink | Reply | 0 comments |
headers
Mondemu Sreenivasulu-A21119 | 3 Jan 2007 06:32

RE: Non-tunnelled Echo Req MN to HA

Hi Vijay & Alex,

HA has to send Binding error message when it gets unrecognized MH type.
Here I am cut and pasting the RFC statement

"o  The MH Type field MUST have a known value (Section 6.1.1).
      Otherwise, the node MUST discard the message and issue a Binding
      Error message as described in Section 9.3.3, with Status field set
      to 2 (unrecognized MH Type value).

Thanks & regards
Sreeni 

-----Original Message-----
From: Petrescu Alexandru-AAP021 
Sent: Tuesday, January 02, 2007 3:14 PM
To: Vijay Devarapalli
Cc: Mondemu Sreenivasulu-A21119; mip6 <at> ietf.org
Subject: Re: [Mip6] Non-tunnelled Echo Req MN to HA

Vijay Devarapalli wrote:
> Alexandru Petrescu wrote:
>> Vijay Devarapalli wrote:
>>> Mondemu Sreenivasulu-A21119 wrote:
>>>> Sorry, The small correction. It is not very clear from RFC 3775  
>>>> whether it is a expected scenario.
>>> 
>>> RFC 3775 requires the HA to send the Echo Reply back with a routing 
>>> header if the Echo request had the home address option.
>>
(Continue reading)

Permalink | Reply | 1 comment |
headers
Vijay Devarapalli | 3 Jan 2007 07:21

Re: Non-tunnelled Echo Req MN to HA

Hi Sreeni,

Mondemu Sreenivasulu-A21119 wrote:
> Hi Vijay & Alex,
> 
> HA has to send Binding error message when it gets unrecognized MH type.
> Here I am cut and pasting the RFC statement
> 
> "o  The MH Type field MUST have a known value (Section 6.1.1).
>       Otherwise, the node MUST discard the message and issue a Binding
>       Error message as described in Section 9.3.3, with Status field set
>       to 2 (unrecognized MH Type value).

You are correct. The HA does send the binding error when
it with status field set to 2. But it does not send a
Binding error with status field set to 1, unless it is
a CN for a mobile node that it does not serve.

We were discussing the HA receiving a data packet with a
home address option with no corresponding binding cache
entry for the home address.

Vijay

> 
> Thanks & regards
> Sreeni 
> 
> -----Original Message-----
> From: Petrescu Alexandru-AAP021
(Continue reading)

Permalink | Reply | 0 comments |
headers
Jari Arkko | 3 Jan 2007 12:14

re-review of mip6-cn-ipsec


Hi all,

I finally found time to come back to this document.
Sorry for the delay.

I like the new applicability statement and other
changes you made in the draft. However, there
are still some issues from my previous review
that were not addressed, including for instance
the normative references, negotiation of how
this mechanism is turned on, and a more detailed
explanation of the security implications of this
mechanism. Details later in this e-mail.

Also, as I went through the draft I wrote some
edits that would satisfy my review and let this
draft move forward. Feel free to use these
as a starting point or make your own edits;
they are provided as suggestions only:

http://www.arkko.com/reviews/mip6/cn-ipsec-03-edits.txt
http://www.arkko.com/reviews/mip6/cn-ipsec-03-edits-from-draft-ietf-mip6-cn-ipsec-03.diff.html

Technical:
>    -  when an alternate care-of address option is present and is not
>       checked using the state cookie mechanism [COOKIE], the alternate
>       care-of address MUST match the source address in the IP header or
>       the home address itself.  Any binding update which does not
>       fulfill this requirement MUST be rejected.
(Continue reading)

Permalink | Reply | 501 comments |
headers
Behcet Sarikaya | 3 Jan 2007 16:55
Picon
Favicon

Re: re-review of mip6-cn-ipsec

Hi all,
  Glancing through this draft, I noticed the following:
By just setting up an IPsec SA with the CN, the MN is able to send packets directly to the CN, i.e., triangular routing is enabled.

shouldn't it say the triangular routing is disabled?
 
Regards,
 
--behcet
----- Original Message ----
From: Jari Arkko <jari.arkko <at> piuha.net>
To: Francis Dupont <Francis.Dupont <at> fdupont.fr>; COMBES Jean-Michel RD-MAPS-ISS <jeanmichel.combes <at> orange-ft.com>
Cc: Mobile IPv6 Mailing List <mip6 <at> ietf.org>
Sent: Wednesday, January 3, 2007 5:14:33 AM
Subject: [Mip6] re-review of mip6-cn-ipsec

Hi all,

I finally found time to come back to this document.
Sorry for the delay.

I like the new applicability statement and other
changes you made in the draft. However, there
are still some issues from my previous review
that were not addressed, including for instance
the normative references, negotiation of how
this mechanism is turned on, and a more detailed
explanation of the security implications of this
mechanism. Details later in this e-mail.

Also, as I went through the draft I wrote some
edits that would satisfy my review and let this
draft move forward. Feel free to use these
as a starting point or make your own edits;
they are provided as suggestions only:

http://www.arkko.com/reviews/mip6/cn-ipsec-03-edits.txt
http://www.arkko.com/reviews/mip6/cn-ipsec-03-edits-from-draft-ietf-mip6-cn-ipsec-03.diff.html

Technical:
>    -  when an alternate care-of address option is present and is not
>       checked using the state cookie mechanism [COOKIE], the alternate
>       care-of address MUST match the source address in the IP header or
>       the home address itself.  Any binding update which does not
>       fulfill this requirement MUST be rejected.
>    -  no care-of address test is required when ingress filtering can
>       reject fake care-of addresses from a rogue mobile node but a
>       correspondent node can use the return routability state cookie
>       procedure to get extra insurance as well as for the support of
>       real alternate care-of addresses.
We already talked about this...

I would suggest deleting the part about the cookie mechanism.
This allows your draft to become an RFC without this IMHO normative
reference. (And if/when you publish another RFC on the cookie
mechanism, its OK for that draft to update this RFC. And I am
willing to AD sponsor documents in this space. But I'd like to
do that on a document-by-document basis, not by approving
one document that points to all the others.)

In any case, my suggested edits contain a new
section about possible enhancements, with pointers
to some ideas. This would be OK.
>    When the home address is bound to a public key, for instance when the
>    home address is a Cryptographically Generated Addresses [RFC3972],
>    the strong authentication MAY be replaced by an address ownership
>    proof as described for instance in [IKECGA].
As above.

>    IPsec is far more secure than the return routability procedure, thus
>    it should be used where it is applicable.  So this document can
>    increase at least the overall security of Mobile IPv6.
This document should specify how IPsec is better or
different, not simply state its better.

My suggested edits have one attempt at such
a description.

Semi-technical:
>  In binding updates the new requirements are:
>    -  the H (home registration) and K (key management mobility
>       capability) bits MUST be cleared.
The former does not appear to be a new requirement. Suggest
deleting the entry, and stating later in the same section
"The use of the K (key management mobility capability)
bit with correspondent nodes is not defined. This bit
is always set to zero."

>    -  as ESP can only protect the payload, an alternate care-of address
>       option MUST be used in conjunction with ESP (cf. [RFC3775] section
>       11.7.1).
This is another requirement that is not new. Delete the
item.
>    -  "long" lifetime compatible with the IPsec policy (i.e., by default
>       up to the IPsec security association lifetime) MAY be granted.
Perhaps you should classify this as something else
than a new requirement, e.g., place it after the list
and formulate as:

"Note that a relatively "long" lifetime compatible with the IPsec policy
(i.e., by default up to the IPsec security association lifetime) MAY
be granted."
>    -  in order to avoid granting any extra privilege by a side effect of
>       using IPsec, the peers (i.e., the mobile and correspondent nodes)
>       may restrict the traffic selectors to the protection of mobility
>       signaling only.  This should be applied to any dubious cases,
>       including by default when security administration is known to be
>       too light.
I still do not understand this. Furthermore, it seems to
argue against the situation that you assumed in the
applicability statement. That is, you use this method
when you would be using IPsec anyway for some other
reason.

> When a packet carrying a home address option is protected by a
> >    suitable IPsec security association, the home address option SHOULD
> >    be considered valid.
>  
>
> I think there should be a discussion somewhere (perhaps Section 2)
> about the type of SA creation procedure and trust that is required
> to make the above decision. See RFC 4449 Section 2 first two bullet
> items for an example, and consider saying something about whether
> this mechanism is applicable with BTNS or opportunistic IPsec.
>
> The implications may also be different for triangular routing
> and route optimization. It seems that all we need for triangular
> routing is that the original address (the one that you send
> traffic back to) was used in the IKE exchange. That is, a dynamic
> SA is needed, but it can be of any type. For route optimization,
> we'd like to know and trust the entity at the other end.
>  
This comment from my previous review has not
been addressed.

> In binding updates the new requirements are:
>  
>
> I would like to understand what happens when the peers use RFC 3775
> while at the same time for other reasons use IPsec between themselves,
> and ONE (not both) support the mechanism specified here. How do they
> know what they should do? Is there a missing negotiation step somewhere?
>  
As above.

> If you cut away the state cookie reference (as suggested earlier),
> I would suggest that you include a statement similar to RFC 4449
> about the trust needed to take care-of addresses without verifying
> them.
As above.


Editorial:

> But any stronger mechanism (i.e., more secure than the
> return routability procedure) may be used, including of course IPsec
> (cf. [RFC3775] Appendix 3 "New Authorization Methods").
For readability, you should rewrite this as "This document
defines an alternative mechanism based on strong authentication
and IPsec."
>    The purpose of this document is not to replace the [RFC3775] return
>    routability procedure by the use of IPsec/IKE which has some
>    authentication requirements which make its universal deployment more
>    than unrealistic.
Again for readability, change to

   The purpose of this document is not to replace the [RFC3775] return
   routability procedure by the use of IPsec/IKE. It is unrealistic to
   expect credentials to be available for strong authentication between
   any pair of communication hosts.

Finally, the document should be checked for correct
capitalization of terms (such as message names) from
RFC 3775.

Jari


_______________________________________________
Mip6 mailing list
Mip6 <at> ietf.org
https://www1.ietf.org/mailman/listinfo/mip6 

_______________________________________________
Mip6 mailing list
Mip6 <at> ietf.org
https://www1.ietf.org/mailman/listinfo/mip6
Permalink | Reply | 0 comments |
headers
Jouni Korhonen | 4 Jan 2007 00:03
Favicon

Questions on draft-ietf-mip6-radius-01

Hi,

I have few questions for clarifications on this draft.

Section 8 and the associated notes give an impression that when a NAS 
suggest a local HA _both_ MIP6-HL-Prefix and MIP6-HOA must be present in 
the access-req. I assume this is not the intention as the same prefix 
information is anyway included in both attributes, no?

Why section 9 is not actually referencing related MIP6 work in Dime for 
the possible Diameter translations? E.g. all attributes except 
MIP6-DNS-MO will be covered in Dime's NAS-HAAA document.

In section 9 all AVPs have mandatory bit set in the flag rules table. I 
wonder if this is actually correct. E.g. integrated scenario Diameter 
case would reuse existing applications.

Cheers,
	Jouni
Permalink | Reply | 15 comments |
headers
RYUJI WAKIKAWA | 4 Jan 2007 05:06
Picon

Re: Non-tunnelled Echo Req MN to HA

Hi Alex,

On 2006/12/29, at 21:10, Alexandru Petrescu wrote:

> Francis Dupont wrote:
>> In your previous mail you wrote:
>>> I'm trying to clarify the following ping scenario: MN sends an ICMP
>>>  Echo Request to its HA, as a non-tunnelled packet.  Src: CoA, Dst:
>>>  HA <at>  and DO: HoA.
>>> Remark this is a non-tunnelled packet.
>> => in fact it is the standard way to send a direct packet from MN  
>> to HA (as the HA is a common CN for direct traffic).
>
> Yes, it is the standard way to communicate between MN and HA.  I'm not
> sure though what is meant by 'HA is a common CN' in usual discussion.
> This is something we've discussed separately (eg does HA send a  
> BRR, as
> a CN would) and there was no conclusive decision.  This is something
> needed very often in implementation.  For example let's say I  
> embark in
> implementing an HA.  Should I make it send BRRs or not.

Yes, you should if HA needs to communicate with MNs whose home prefix  
is other than the HA's one.
HA always be HA only for own MNs, and can be correspondent node for  
other MNs.
This is very clear from 3775.

Of course, you can skip implementation of BRR if your HA never  
communicates with other MRs.

ryuji

> This pinging HA question also reflects a need for clarification.
>
>>> Should the HA simply send back ICMP echo replies to the CoA?  Or  
>>> should the HA be bothered by the HoA in DO and send back the echo  
>>> reply _only_ if the corresponding binding cache entry (HoA-CoA)  
>>> exists, and otherwise send a Binding Error to MN?
>> => none of them: the HA ICMP engine should send replies to the MN HoA
>>  and the MIPv6 code should add a type 2 RH through the registered CoA
>>  (which can be the same of a different address).
>
> Ok.
>
>>> I'm tempted to say that HA should ignore the HoA in DO and just
>>> reply back to MN.  MN and HA should still act as simple hosts and
>>> ping each other non-tunnelled.
>> => if you want that you must avoid the DO, usually it is done by  
>> forcing the source address to the CoA.
>
> Errr... I understand the principle: don't put DO in Echo Req and thus
> the Echo Reply won't have an RH.  (the src address _is_ the CoA).  But
> the ping program is not capable to optionally add DO or not.
>
>> Merry Christmas!
>
> Thanks !  Et Bonnes Fetes !
>
> Alex
>
> _______________________________________________
> Mip6 mailing list
> Mip6 <at> ietf.org
> https://www1.ietf.org/mailman/listinfo/mip6
Permalink | Reply | 1 comment |
headers
Hannes Tschofenig | 4 Jan 2007 12:39
Picon

Re: Questions on draft-ietf-mip6-radius-01

Hi Jouni,

Jouni Korhonen wrote:
> Hi,
>
> I have few questions for clarifications on this draft.
>
> Section 8 and the associated notes give an impression that when a NAS 
> suggest a local HA _both_ MIP6-HL-Prefix and MIP6-HOA must be present 
> in the access-req. I assume this is not the intention as the same 
> prefix information is anyway included in both attributes, no?
>
> Why section 9 is not actually referencing related MIP6 work in Dime 
> for the possible Diameter translations? E.g. all attributes except 
> MIP6-DNS-MO will be covered in Dime's NAS-HAAA document.
That's a mistake. I mentioned it during my presentation at the last IETF 
meeting in RADEXT.

>
> In section 9 all AVPs have mandatory bit set in the flag rules table. 
> I wonder if this is actually correct. E.g. integrated scenario 
> Diameter case would reuse existing applications.
I think the table needs to be corrected. I also believe that most of the 
Diameter Considerations sections in various drafts (not only in this 
document) are actually wrong.
If the design of a Diameter application would be so easy why do we need 
to discuss various aspects for a couple of months.

Btw, the attribute format needs to be updated to meet the expectations 
of the RADEXT group.

To summarize: As we move along with the DIME documents we need to get 
the documents in sync.

Ciao
Hannes
>
> Cheers,
>     Jouni
>
>
> _______________________________________________
> Mip6 mailing list
> Mip6 <at> ietf.org
> https://www1.ietf.org/mailman/listinfo/mip6
Permalink | Reply | 0 comments |

Gmane