Hi Tricci,
Thanks for your explanation. I get your point why notarized signature required, but my question is not about notarizing every packet. Let me ask my question in different way, Is FAP sends notarized signature in every IPSec packet to core network? As I understand from the draft that before accepting every IPSec packet, core network validate the notarized signature. Where is this notarized signature placed in every IPSec packet? Thanks, Dharmanandana Reddy Pothula From: [email protected] [mailto:[email protected]] Sent: Wednesday, January 25, 2012 1:26 PM To: [email protected] Cc: [email protected]; [email protected]; [email protected]; [email protected] Subject: Re: [IPsec] [IPSec]: New Version Notification for draft-zong-ipsecme-ikev2-cpext4femto-00.txt Dear Dharmanandana, I hope that I address you correctly. If not, please pardon my ignorance. As this week is spring festival, ZaiFeng is not available. Hence, I would like to respond to you on behalf of her. Could you please kind see my responses to you inline below. Many thanks. Tricci Dharmanandana Reddy <[email protected]> Sent by: [email protected] 01/24/2012 04:04 AM Please respond to [email protected] To [email protected] cc [email protected] Subject Re: [IPsec] [IPSec]: New Version Notification for draft-zong-ipsecme-ikev2-cpext4femto-00.txt Hi Zaifeng, I have following questions and concerns about your proposed solution "The FAP will then send the FAP information together with the corresponding SeGW notarized signature to its mobile operator's core network. The core network verifies the FAP information by validating the SeGW notarized signature prior to the acceptance of the information". Is every ip packet carries SeGW notarized signature after server sends notarized signature to the client? if not, what's the point in returning notarized signature to the client? I believe yes, if so, It will increase percentage of overhead per packet and may impact quality of real time voice and video. Tricci > You ask a very legitimate question. May be our draft is not clear enough to explain the main motivation of this draft for target of the attack. Tricci > The main concern is not about the attack for "unauthorized FAP" to send any data to the mobile core network. The main concern is about the attack of the "unauthorized FAP" to send the "false" configuration information (e.g. such as changing the FAP from "Closed" to become "Open"), and to send the "false" access control related information (e.g. allowing a 3GPP UE which is supposed to be allowed to access the FAP and to have the access privileage to the FAP - i.e. CSG info alteration, etc.). Once the FAP's configuration and access control management are authenticated via the support of the notarization by the SeGW, then, the rest of the 3GPP UEs' access to the FAP can follow the existing access control and UE-based authentication/authorization procedures at the UE level's. Tricci > Of course, once the UE is authenticated and to allow access to the FAP, whatever the UE sends is beyond the control of the FAP just as what is happened today for any mobile device. Isn't it? if every ip packet carries SeGW notarized signature, How and where this signature carried inside ip packet? will it bring some modifications inside IPsec packet processing? Is this processing happens outside of IPsec? is it outside scope of this document? It would be great, if some of these aspects are addressed in the draft. Tricci > Since I have already explained to you that, we are not proposing to notarize every single packet sent by FAP. Hence, I don't think that I need to respond to your rest of the questions above. Tricci > THANK YOU for asking a good question. Cheers. Thanks, Dharmanandana Reddy Pothula. _______________________________________________ IPsec mailing list [email protected] <https://www.ietf.org/mailman/listinfo/ipsec> https://www.ietf.org/mailman/listinfo/ipsec -------------------------------------------------------- ZTE Information Security Notice: The information contained in this mail is solely property of the sender's organization. This mail communication is confidential. Recipients named above are obligated to maintain secrecy and are not permitted to disclose the contents of this communication to others. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the originator of the message. Any views expressed in this message are those of the individual sender. This message has been scanned for viruses and Spam by ZTE Anti-Spam system.
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
