Re: Comments on draft-chowdhury-mip6-bootstrap-radius-00.t xt

Hi Gerardo,

On Wed, Jul 28, 2004 at 03:14:29PM +0200, Giaretta Gerardo wrote:
> Hi Yoshi,
> 
> see below..
> 
> > 
> > 
> > If the concern is about hijacking, I think integrity 
> > protecting the bootstrapping information is sufficient.  
> > However, as Alper mentioned in other email, I think it is 
> > hard to achieve end-to-end integirty protection for the 
> > bootstrapping information as described below.
> > 
> > With using the EAP-based bootstrapping (i.e.,
> > draft-giaretta-mip6-authorization-eap-01.txt) it is possible 
> > to integrity protect boostrapping information between AAAH 
> > and the mobile node.  But it would be difficult to archive 
> > end-to-end protection if the bootstrapping information is 
> > assigned by AAAF then passed to AAAH expecting the 
> > information carried through EAP.  In this case, AAAH can 
> > alter the bootstrapping information.
> > 
> 
> I do not think this is a problem. If the MN is bootstrapping with the
> AAAH (that is a trusted node), the AAAH is expected to explicitely
> authorize and control the whole bootstrapping procedure (see section 7.1
> of problem statement draft). So, if necessary, the AAAH can also alter,
> or completely reject, the information provided by AAAF. For example even
> if the AAAF provides the addres of a HA available within the foreign
> domain, the AAAH can decide (e.g. based on the user profile or on other
> administrative rules) not to assign it to the MN and select a HA within
> the home domain. 

I think whether AAAH can decide to alter or deny the information
provided by AAAF depends on the roaming agreement between AAAH and
AAAF.  In the case where AAAH is not allowed by agreement to alter or
deny the information provided by AAAF, if AAAH can somehow alter the
information, I think it is still a problem.

Also, for scenarios other than the one described in section 7.1 of the
problem statement, I don't think the AAAH is always expected to
control the whole bootstrapping procedure when the mobile node is
bootstrapping based on the MN-AAAH security association.  In the case
where bootstrapping information is assigned by AAAF, it is valid from
the AAA architectural perspective that the AAAF can insert the
information created by itself and deliver it to the mobile without
asking the AAAH for authorization of the information, provided that
the roaming agreement between AAAH and AAAF allows that.

Yoshihiro Ohba



> 
> 
> --Gerardo
> 
> 
> > On the other hand, if we use the DHCP-based approach (i.e., 
> > draft-chowdhury-mip6-bootstrap-radius-00.txt), the NAS or 
> > DHCP server in the foreign network can alter the 
> > bootstrapping information sent by AAAH regardless of the 
> > information is integrity protected between the NAS or DHCP 
> > server and mobile node.
> > 
> > So I would not agree if one of the approaches are said to be 
> > better than the other from the security point of view.
> > 
> > Yoshihiro Ohba
> > 
> > 
> > 
> > On Tue, Jul 27, 2004 at 09:34:21AM -0700, James Kempf wrote:
> > > Good point.
> > > 
> > > I'll counter by saying that if one is rather more concerned about 
> > > hijacking than simple exposure of information, the 
> > bootstrapping phase 
> > > is criticial. Therefore, it might make more sense to protect that 
> > > information more tightly than during actual operation. 
> > Certainly the 
> > > foreign network can get information about HA topology 
> > through traffic 
> > > analysis, but it can't dupe the MN into using one that it otherwise 
> > > wouldn't have.
> > > 
> > >               jak
> > > 
> > > ----- Original Message -----
> > > From: "Yoshihiro Ohba" <yohba@xxxxxxxxxxxxxxxx>
> > > To: "Kuntal Chowdhury" <chowdury@xxxxxxxxxxxxxxxxxx>
> > > Cc: "Vijay Devarapalli" <vijayd@xxxxxxxxxxxxxx>; "Alper Yegin"
> > > <alper.yegin@xxxxxxxxxxx>; <mip6@xxxxxxxx>; "Ralph Droms"
> > > <rdroms@xxxxxxxxx>; "James Kempf" 
> > <kempf@xxxxxxxxxxxxxxxxxx>; "Avi Lior"
> > > <avi@xxxxxxxxxxxxxxxxxxxxxx>
> > > Sent: Monday, July 26, 2004 8:28 PM
> > > Subject: Re: [Mip6] Comments on 
> > draft-chowdhury-mip6-bootstrap-radius-00.t
> > > xt
> > > 
> > > 
> > > > On Mon, Jul 26, 2004 at 06:32:13PM -0400, Kuntal Chowdhury wrote:
> > > > > Vijay,
> > > > >
> > > > > So, if we come back to Jak's original point about 
> > situations where
> > > carriers
> > > > > would like to keep their network node addresses private, then 
> > > > > don't you think there has to be a confidential info exchange 
> > > > > between the home
> > > domain
> > > > > and the MN prior to home registration? I want to 
> > clarify whether 
> > > > > hiding
> > > the
> > > > > MIP6 bootstrap information exchange from intermediaries is a 
> > > > > design goal
> > > for
> > > > > the MIP6 bootstrap solution? This will be helpful to 
> > determine the
> > > vehicle
> > > > > by which the information can be sent to the MN from the NAS.
> > > >
> > > > If the NAS in the visiting network can know the home 
> > agent address 
> > > > and home address by snooping Binding Update and data 
> > traffic, hiding 
> > > > the home agent address and home address exchange from 
> > intermediaries 
> > > > in the bootstrapping procedure does not make much sense to me.
> > > >
> > > > Yoshihiro Ohba
> > > >
> > > > >
> > > > > -Kuntal
> > > > >
> > > > > >-----Original Message-----
> > > > > >From: Vijay Devarapalli [mailto:vijayd@xxxxxxxxxxxxxx]
> > > > > >Sent: Monday, July 26, 2004 5:23 PM
> > > > > >To: Chowdhury, Kuntal [RICH1:2H18:EXCH]
> > > > > >Cc: James Kempf; mip6@xxxxxxxx; Alper Yegin; Avi Lior; Ralph 
> > > > > >Droms
> > > > > >Subject: Re: [Mip6] Comments on
> > > > > >draft-chowdhury-mip6-bootstrap-radius-00.t xt
> > > > > >
> > > > > >
> > > > > >Kuntal Chowdhury wrote:
> > > > > >
> > > > > >> world. I am curious though, was there a requirement to keep 
> > > > > >> these informations secret while designing MIPv6 protocol?
> > > > > >
> > > > > >it was discussed and the conclusion was there is nothing in a 
> > > > > >DHAAD reply that needs protection. but, I wouldnt claim this 
> > > > > >would be true for all deployment scenarios.
> > > > > >
> > > > > >moreover, IPsec doesnt work for anycast addresses. :)
> > > > > >
> > > > > >Vijay
> > > > > >
> > > > >
> > > > > _______________________________________________
> > > > > Mip6 mailing list
> > > > > Mip6@xxxxxxxx
> > > > > https://www1.ietf.org/mailman/listinfo/mip6
> > > >
> > > 
> > > 
> > 
> > _______________________________________________
> > Mip6 mailing list
> > Mip6@xxxxxxxx
> > https://www1.ietf.org/mailman/listinfo/mip6
> > 
> 
> 
> Gruppo Telecom Italia - Direzione e coordinamento di Telecom Italia S.p.A.
> 
> ====================================================================
> CONFIDENTIALITY NOTICE
> This message and its attachments are addressed solely to the persons
> above and may contain confidential information. If you have received
> the message in error, be informed that any use of the content hereof
> is prohibited. Please return it immediately to the sender and delete
> the message. Should you have any questions, please send an e_mail to
> MailAdmin@xxxxxxxxxx Thank you
> ====================================================================