Hi Zaifeng,
About error condition, Is there any plan to add new error message types to Notify payload to handle verification fail scenarios? I feel it would appropriate to inform FAP, so this helps FAP to correct if misconfigured. I have one more question about the proposed solution. Can’t we handle verifying FAP configuration information inside Femto Gateway? Femto Gateway can inform security gateway to bring down the tunnel, if verification fails. Anyway false information submission very unlikely scenario, so why we need to make this config payload exchange as part of regular IKE negotiation? I feel addition of more config payloads might impact tunnel setup rate. Regards, Dharmanandana Reddy Pothula From: zong.zaif...@zte.com.cn [mailto:zong.zaif...@zte.com.cn] Sent: Thursday, February 02, 2012 1:51 PM To: dharmanandana.pothu...@huawei.com Cc: ipsec@ietf.org; ipsec-boun...@ietf.org; t...@zteusa.com Subject: 答复: RE: [IPsec] [IPSec]: New Version Notification for draft-zong-ipsecme-ikev2-cpext4femto-00.txt Hi Dharmanandana: The notarized signature will not be sent oin every IPSec packet. It will be sent to core network when the FAP registers to the core network inside the signalling between the FAP and core network. After it is registered to the core network, the FAP is activated to accept attachment of mobile terminals. I wish this clarifies. Thanks! BR Zaifeng Dharmanandana Reddy Pothula <dharmanandana.pothu...@huawei.com> 2012-01-31 18:43 请答复 给 dharmanandana.pothu...@huawei.com 收件人 t...@zteusa.com 抄送 ipsec@ietf.org, ipsec-boun...@ietf.org, zong.zaif...@zte.com.cn 主题 RE: [IPsec] [IPSec]: New Version Notification for draft-zong-ipsecme-ikev2-cpext4femto-00.txt Hi Tricci, Thanks for your explanation. I get your point why notarized signature required, but my question is not about notarizing every packet. Let me ask my question in different way, Is FAP sends notarized signature in every IPSec packet to core network? As I understand from the draft that before accepting every IPSec packet, core network validate the notarized signature. Where is this notarized signature placed in every IPSec packet? Thanks, Dharmanandana Reddy Pothula From: t...@zteusa.com [mailto:t...@zteusa.com] Sent: Wednesday, January 25, 2012 1:26 PM To: dharmanandana.pothu...@huawei.com Cc: ipsec@ietf.org; ipsec-boun...@ietf.org; zong.zaif...@zte.com.cn; t...@zteusa.com Subject: Re: [IPsec] [IPSec]: New Version Notification for draft-zong-ipsecme-ikev Dear Dharmanandana, I hope that I address you correctly. If not, please pardon my ignorance. As this week is spring festival, ZaiFeng is not available. Hence, I would like to respond to you on behalf of her. Could you please kind see my responses to you inline below. Many thanks. Tricci 5pt;font-family:"Arial","sans-serif"'>Dharmanandana Reddy <dharmanandana.pothu...@huawei.com> Sent by: ipsec-boun...@ietf.org 01/24/2012 04:04 AM Please respond to dharmanandana.pothu...@huawei.com To zong.zaif...@zte.com.cn cc ipsec@ietf.org Subject Re: [IPsec] [IPSec]: New Version Notification for draft-zong-ipsecme-ikev2-cpext4femto-00.txt Hi Zaifeng, I have following questions and concerns about your proposed solution "The FAP will then send the FAP information together with the corresponding SeGW notarized signature to its mobile operator's core network. The core network verifies the FAP information by validating the SeGW notarized signature prior to the acceptance of the information". Is every ip packet carries SeGW notarized signature after server sends notarized signature to the client? if not, what's the point in returning notarized signature to the client? I believe yes, if so, It will increase percentage of overhead per packet and may impact quality of real time voice and video. Tricci > You ask a very legitimate question. May be our draft is not clear enough to explain the main motivation of this draft for target of the attack. Tricci > The main concern is not about the attack for "unauthorized FAP" to send any data to the mobile core network. The main concern is about the attack of the "unauthorized FAP" to send the "false" configuration information (e.g. such as changing the FAP from "Closed" to become "Open" ;false" access control related information (e.g. allowing a 3GPP UE which is supposed to be allowed to access the FAP and to have the access privileage to the FAP - i.e. CSG info alteration, etc.). Once the FAP's configuration and access control management are authenticated via the support of the notarization by the SeGW, then, the rest of the 3GPP UEs' access to the FAP can follow the existing access control and UE-based authentication/authorization procedures at the UE level's. Tricci > Of course, once the UE is authenticated and to allow access to the FAP, whatever the UE sends is beyond the control of the FAP just as what is happened today for any mobile device. Isn't it? if every ip packet carries SeGW notarized signature, How and where this signature carried inside ip packet? cations inside IPsec packet processing? Is this processing happens outside of IPsec? is it outside scope of this document? It would be great, if some of these aspects are addressed in the draft. Tricci > Since I have already explained to you that, we are not proposing to notarize every single packet sent by FAP. Hence, I don't think that I need to respond to your rest of the questions above. Tricci > THANK YOU for asking a good question. Cheers. Thanks, Dharmanandana Reddy Pothula. & yle='font-size:10.0pt;font-family:"Arial","sans-serif"'> _______________________________________________ IPsec mailing list IPsec@ietf.org <https://www.ietf.org/mailman/listinfo/ipsec> https://www.ietf.org/mailman/listinfo/ipsec -------------------------------------------------------- ZTE Information Security Notice: The information contained in this mail is solely property of the sender's organization. This mail communication is confidential. Recipient bsp;are obligated to maintain secrecy and are not permitted to disclose the contents of this communication to others. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the originator of the message. Any views expressed in this message are those of the individual sender. This message has been scanned for viruses and Spam by ZTE Anti-Spam system.
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
