Hi,
My understanding is that the notarized signature is carried by IKE. After
IKE's procedure is done,
the following packet can be protected by IPsec(e.g. ESP).
----------------
Yinxing Wei
在 2012-1-31,下午6:43,Dharmanandana Reddy Pothula
<[email protected]> 写道:
> Hi Tricci,
>
> Thanks for your explanation. I get your point why notarized signature
> required, but my question is not about notarizing every packet. Let me ask my
> question in different way, Is FAP sends notarized signature in every IPSec
> packet to core network? As I understand from the draft that before accepting
> every IPSec packet, core network validate the notarized signature. Where is
> this notarized signature placed in every IPSec packet?
> Thanks,
> Dharmanandana Reddy Pothula
>
> From: [email protected] [mailto:[email protected]]
> Sent: Wednesday, January 25, 2012 1:26 PM
> To: [email protected]
> Cc: [email protected]; [email protected]; [email protected];
> [email protected]
> Subject: Re: [IPsec] [IPSec]: New Version Notification for draft-zong-ipse
> cme-ikev
>
> Dear Dharmanandana,
>
> I hope that I address you correctly. If not, please pardon my ignorance.
>
> As this week is spring festival, ZaiFeng is not available. Hence, I would
> like to respond to you on behalf of her.
>
> Could you please kind see my responses to you inline below. Many thanks.
> Tricci
>
>
>
>
> 5pt;font-family:"Arial","sans-serif"'>Dharmanandana Reddy
> <[email protected]>
> Sent by: [email protected]
>
> 01/24/2012 04:04 AM
>
> Please respond to
> [email protected]
> To
>
> [email protected]
> cc
> [email protected]
> Subject
> Re: [IPsec] [IPSec]: New Version Notification for
> draft-zong-ipsecme-ikev2-cpext4femto-00.txt
>
>
>
>
> Hi Zaifeng,
>
> I have following questions and concerns about your proposed solution "The FAP
> will then send the FAP information together with the corresponding SeGW
> notarized signature to its mobile operator's core network. The core network
> verifies the FAP information by validating the SeGW notarized signature prior
> to the acceptance of the information".
> Is every ip packet carries SeGW notarized signature after server sends
> notarized signature to the client? if not, what's the point in returning
> notarized signature to the client? I believe yes, if so, It will increase
> percentage of overhead per packet and may impact quality of real time voice
> and video.
>
> Tricci > You ask a very legitimate question. May be our draft is not clear
> enough to explain the main motivation of this draft for target of the attack.
>
>
> Tricci > The main concern is not about the attack for "unauthorized FAP" to
> send any data to the mobile core network. The main concern is about the
> attack of the "unauthorized FAP" to send the "false" configuration
> information (e.g. such as changing the FAP from "Closed" to become "O pen"
> ;false" access control related information (e.g. allowing a 3GPP UE which is
> supposed to be allowed to access the FAP and to have the access privileage to
> the FAP - i.e. CSG info alteration, etc.). Once the FAP's configuration and
> access control management are authenticated via the support of the
> notarization by the SeGW, then, the rest of the 3GPP UEs' access to the FAP
> can follow the existing access control and UE-based
> authentication/authorization procedures at the UE level's.
>
> Tricci > Of course, once the UE is authenticated and to allow access to the
> FAP, whatever the UE sends is beyond the control of the FAP just as what is
> happened today for any mobile device. Isn't it?
>
> if every ip packet carries SeGW notarized signature, How and where this
> signature carried inside ip packet? cations inside IPsec packet processing?
> Is this processing happens outside of IPsec? is it outside scope of this
> document? It would be great, if some of these aspects are addressed in the
> draft.
>
> Tricci > Since I have already explained to you that, we are not proposing to
> notarize every single packet sent by FAP. Hence, I don't think that I need
> to respond to your rest of the questions above.
>
> Tricci > THANK YOU for asking a good question. Cheers.
>
> Thanks,
>
> Dharmanandana Reddy Pothula.
>
> & yle='font-size:10.0pt;font-family:"Arial","sans-serif"'>
> _______________________________________________
> IPsec mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/ipsec
>
>
>
> --------------------------------------------------------
> ZTE Information Security Notice: The information contained in this mail is
> solely property of the sender's organization. This mail communication is
> confidential. R
> ecipient
> bsp;are obligated to maintain secrecy and are not permitted to disclose the
> contents of this communication to others.
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed. If
> you have received this email in error please notify the originator of the
> message. Any views expressed in this message are those of the individual
> sender.
> This message has been scanned for viruses and Spam by ZTE Anti-Spam system.
> _______________________________________________
> IPsec mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
