Re: [saag] Declining the ifare bof for Chicago

[Lakshminath Dondeti <ldondeti@xxxxxxxxxxxx>]

Vijay,

I was not saying it without reason.  I brought up the 128-bit key issue 
a long while ago and there was silence.

More recently, draft-ietf-mip6-ha-switch-03 on which you are an author, 
says the following

++++++++++++
9. Security Considerations


   The Home Agent Switch message MUST be authenticated by one of the
   following methods:

        o The home agent to mobile node IPsec ESP authentication SA for
          integrity protection as described in [2].

        o A home agent to mobile node authentication option, such as
          [3].
+++++++++

Those two options are listed as equivalent choices.

So, how am I wrong?

regards,
Lakshminath

On 6/12/2007 1:25 PM, Vijay Devarapallli wrote:
> Lakshminath,
>
> On 6/11/07, Lakshminath Dondeti <ldondeti@xxxxxxxxxxxx> wrote:
>
> > The MIP6 working group developed the AUTH protocol (do I need to bring
> > up the thing about using 128 bit keys with HMAC-SHA-1, which seems to be
> > an oversight and not a conscious choice with reasoning) and they think
> > it is fine as an alternative to IPsec.  I am surprised consensus in that
> > group is the barrier for doing the IFARE work.
>
> This is a mischaracterization of the security work done in the MIP6
> WG. The AUTH protocol for MIPv6 (RFC 4285) was done as an
> Informational document for one particular SDO (3GPP2). The default
> mechanism is the use of IKEv2 to negotiate security associations
> between the mobile node and the home agent and the use of ESP to
> protect the signaling messages. The MIP6 WG has worked on more
> extensions for bootstrapping security associations between the mobile
> node and the home agent and all of them have assumed IPsec. Not RFC
> 4285.
>
> If you have any specific concerns please bring them up on the MIP6 
> mailing list.
>
> Vijay