Addressing tBCE via an implementation specific at LMA
Sorry reposting with correct subject:)
Hello Ryuji and All,
I am reposting this email (removed unnecessary text) which clarify that
adding some text to mention that what tBCE draft is trying to do can be
addressed by implementation specific is NOT necessarily true.
Please take your time to read this email and if you still have any
question, please let me know.
From: Muhanna, Ahmad (RICH1:2H10)
Sent: Tuesday, October 21, 2008 9:13 PM
To: 'Ryuji Wakikawa'
Cc: 'Vijay Devarapalli'; '[hidden email]'
Subject: RE: [Mipshop] Adoption of
draft-liebsch-netlmm-transient-bce-pmipv6 as a WG document
This one you apparently referenced in your original email where the LMA
may keep the BCE which points to the pMAG for a little longer to capture
in-flight uplink packets. In this case, the LMA has already received a
PBU and sent a PBA to the nMAG and the tunnel has been switched to pint
to the nMAG, taking in consideration the above trick.
In this case, apparently the MN (previous) Proxy BCE had a pCoA which
points to the pMAG and this was established via a secure PMIPv6
signaling. Additionally the LMA has received another secure PBU from the
nMAG to indicate the mobile node movement and HO process and to update
the MN proxy point of attachment by updating the MN proxy BCE with the
From a security prospective, someone may argue that a preconfigured
timer may solve this issue and there is NOT much great security risk
involved in here, for the fact that the MN PMA (MAG) has signaled via
secure PBU that the MN is in the process of handoff in order for the LMA
to update the MN proxy BCE.
From security prospective, the problem rises when some people think of
the usecase 1 as defined in tBCE draft as the same as this one!:)
The case which we refer to as usecase 1 in the tBCE draft is as follows:
The LMA has a proxy BCE for the MN which has a pCoA that points to the
The LMA has a routing entry for the MN HNP which points to the pMAG-LMA
ALL of a sudden, the LMA receives an IP-in-IP uplink data packet from a
MAG, it happens to be the nMAG with a payload carrying a data packet
with a source IP address which belongs to a MN HNP that is supposed to
be hosted at the pMAG.
IMO, any action that the LMA MAY take based ONLY on receiving an uplink
data packet that is coming from a nMAG is an insecure mechanism. Since
the data path is not necessarily secure, then it is NOT possible to just
allow the LMA to accept this traffic without security violation. That is
AGAINST all mobility protocol.