Re: Section 8 comment in IESG review

Hi Hesham,

Soliman Hesham wrote:
> I saw Steve Bellovin's comment on this section below.
> Since I've been wanting to raise the same point, I have 
> a short comment.
> 
> 8:      This text is unclear:
> 
>            When the Mobile Router and the Home Agent exchange routes
>            through a dynamic routing protocol, the Mobile Router
>            should be careful in including the same Mobile Network
>            Prefixes in the Binding Update to the Home Agent and in
>            the routing protocol updates.  The Home Agent depending
>            on its configuration might not add routes based on the
>            prefix information in the Binding Updates at all, and
>            might use only the routing protocol updates.  Moreover,
>            including the same prefix information in both the Binding
>            Update and the routing protocol update is redundant.
> 
>         Do you mean "be careful to include the same information in
>         both places" -- redunancy is sometimes good.  Or do you
>         mean "be careful to avoid doing this"?  Personally, I think
>         the former is more appropriate, because it allows a check
>         on the validity of the routing information.  Note that the
>         prefixes announced via binding updates are checked for
>         authorization; routing data generally is not.  I would thus
>         suggest that routing advertisements MUST NOT contain any
>         prefixes not known to the home agent by either implicit
>         mode configuration or explicit mode announcement.
> 
> => Basically I think we need to make sure that the HA
> checks the routing information exchanged and matches it 
> against the prefix information that it already knows from
> the MNP table/manual config/BCEs ..etc to make sure that
> MRs are authorised to advertise such prefix(es). 
> So we need tight coupling between the routing protocol
> content and the content in the BU/manual config.
> Otherwise Bad Guy could send a vaild BU and start announcing
> someone else's prefix. 
> 
> Note that in many cases today IGPs are authenticated with
> a single "domain key". To maintain this type of security
> we need to verify that the MRs are authorised to advertise
> reachability to the prefixes in question. 
> 
> I think a text change for this section will suffice.

I basically agree with you. I think there may be two use cases here with 
slightly different assumptions:

1. All MRs and HA belong to the same administrative domain. They can 
have a single trust level (domain key).

2. MRs belong to different administrative domains or the HA and the MRs 
belong to different domains. Obviously they don't trust each other.

In 1) it would be ok to separate BU authorization from routing protocol 
authorization. In 2) it wouldn't. What you propose is to always go with 
the assumption that entities don't trust each other and that we have 
multiple trust relationships.

I'm just curious how difficult one can consider it is 
(implementation-wise) to exchange information a RIPng process with the 
HA function inside the HA.

/Mattias