Dear Dharmanandana, Thank you for your clarification.
Yes, as YinXing's understanding, once the FAP and SeGW are mutually authenticated, the SeGW will then notarize the info that was provided by FAP (in Client_Notarized_Info) into a form of signature, and the signature will then be fed back to the FAP. In the Femto architecture, there is a direct interface between the FAP and the Mobile Core Network. The signaling path between the FAP and the Mobile Core Network is protected by the IPsec tunnel that was established between the FAP and SeGW. The FAP will then imbedded the SeGW's notarized signature into FAP signaling communication with the Mobile Core Network of which the signaling is part of the IPSec payload. Hence, it is totally transparent to the SeGW. The notarized signature is just containing some FAP's specific configuration info - i.e. NOT every single packet between the FAP and the Mobile Core Network will be notarized. It is a very small specific configuration info regarding to FAP which is specific to the particular mobile technology (i.e. 3GPP, 3GPP2, WiMAX etc.) and the corresponding mobile operator. Hoping that I was able to answer your question clearly. As ZaiFeng is back from her holiday. I will leave the rest of further question back to her. Sincerely thanks for your kind attention to this draft. Cheers. Tricci Dharmanandana Reddy Pothula <dharmanandana.pothu...@huawei.com> Sent by: ipsec-boun...@ietf.org 01/31/2012 02:43 AM Please respond to dharmanandana.pothu...@huawei.com To t...@zteusa.com cc ipsec@ietf.org, ipsec-boun...@ietf.org, zong.zaif...@zte.com.cn Subject Re: [IPsec] [IPSec]: New Version Notification for draft-zong-ipsecme-ikev2-cpext4femto-00.txt Hi Tricci, Thanks for your explanation. I get your point why notarized signature required, but my question is not about notarizing every packet. Let me ask my question in different way, Is FAP sends notarized signature in every IPSec packet to core network? As I understand from the draft that before accepting every IPSec packet, core network validate the notarized signature. Where is this notarized signature placed in every IPSec packet? Thanks, Dharmanandana Reddy Pothula From: t...@zteusa.com [mailto:t...@zteusa.com] Sent: Wednesday, January 25, 2012 1:26 PM To: dharmanandana.pothu...@huawei.com Cc: ipsec@ietf.org; ipsec-boun...@ietf.org; zong.zaif...@zte.com.cn; t...@zteusa.com Subject: Re: [IPsec] [IPSec]: New Version Notification for draft-zong-ipse cme-ikev Dear Dharmanandana, I hope that I address you correctly. If not, please pardon my ignorance. As this week is spring festival, ZaiFeng is not available. Hence, I would like to respond to you on behalf of her. Could you please kind see my responses to you inline below. Many thanks. Tricci 5pt;font-family:"Arial","sans-serif"'>Dharmanandana Reddy <dharmanandana.pothu...@huawei.com> Sent by: ipsec-boun...@ietf.org 01/24/2012 04:04 AM Please respond to dharmanandana.pothu...@huawei.com To zong.zaif...@zte.com.cn cc ipsec@ietf.org Subject Re: [IPsec] [IPSec]: New Version Notification for draft-zong-ipsecme-ikev2-cpext4femto-00.txt Hi Zaifeng, I have following questions and concerns about your proposed solution "The FAP will then send the FAP information together with the corresponding SeGW notarized signature to its mobile operator's core network. The core network verifies the FAP information by validating the SeGW notarized signature prior to the acceptance of the information". Is every ip packet carries SeGW notarized signature after server sends notarized signature to the client? if not, what's the point in returning notarized signature to the client? I believe yes, if so, It will increase percentage of overhead per packet and may impact quality of real time voice and video. Tricci > You ask a very legitimate question. May be our draft is not clear enough to explain the main motivation of this draft for target of the attack. Tricci > The main concern is not about the attack for "unauthorized FAP" to send any data to the mobile core network. The main concern is about the attack of the "unauthorized FAP" to send the "false" configuration information (e.g. such as changing the FAP from "Closed" to become "O pen" ;false" access control related information (e.g. allowing a 3GPP UE which is supposed to be allowed to access the FAP and to have the access privileage to the FAP - i.e. CSG info alteration, etc.). Once the FAP's configuration and access control management are authenticated via the support of the notarization by the SeGW, then, the rest of the 3GPP UEs' access to the FAP can follow the existing access control and UE-based authentication/authorization procedures at the UE level's. Tricci > Of course, once the UE is authenticated and to allow access to the FAP, whatever the UE sends is beyond the control of the FAP just as what is happened today for any mobile device. Isn't it? if every ip packet carries SeGW notarized signature, How and where this signature carried inside ip packet? cations inside IPsec packet processing? Is this processing happens outside of IPsec? is it outside scope of this document? It would be great, if some of these aspects are addressed in the draft. Tricci > Since I have already explained to you that, we are not proposing to notarize every single packet sent by FAP. Hence, I don't think that I need to respond to your rest of the questions above. Tricci > THANK YOU for asking a good question. Cheers. Thanks, Dharmanandana Reddy Pothula. & yle='font-size:10.0pt;font-family:"Arial","sans-serif"'> _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec -------------------------------------------------------- ZTE Information Security Notice: The information contained in this mail is solely property of the sender's organization. This mail communication is confidential. R ecipient bsp;are obligated to maintain secrecy and are not permitted to disclose the contents of this communication to others. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the originator of the message. Any views expressed in this message are those of the individual sender. This message has been scanned for viruses and Spam by ZTE Anti-Spam system._______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec -------------------------------------------------------- ZTE Information Security Notice: The information contained in this mail is solely property of the sender's organization. This mail communication is confidential. Recipients named above are obligated to maintain secrecy and are not permitted to disclose the contents of this communication to others. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the originator of the message. Any views expressed in this message are those of the individual sender. This message has been scanned for viruses and Spam by ZTE Anti-Spam system.
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec