[DMM] Secdir last call review of draft-ietf-dmm-pmipv6-dlif-04
Vincent Roca via Datatracker <noreply@ietf.org> Mon, 21 October 2019 12:47 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: dmm@ietf.org
Delivered-To: dmm@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id A7BFE12013B; Mon, 21 Oct 2019 05:47:07 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Vincent Roca via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
Cc: draft-ietf-dmm-pmipv6-dlif.all@ietf.org, ietf@ietf.org, dmm@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.106.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Vincent Roca <vincent.roca@inria.fr>
Message-ID: <157166202760.31949.6972305880517491481@ietfa.amsl.com>
Date: Mon, 21 Oct 2019 05:47:07 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmm/2cCcChMFopku0TWF_cFGn3WA2W0>
Subject: [DMM] Secdir last call review of draft-ietf-dmm-pmipv6-dlif-04
X-BeenThere: dmm@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Distributed Mobility Management Working Group <dmm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmm>, <mailto:dmm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmm/>
List-Post: <mailto:dmm@ietf.org>
List-Help: <mailto:dmm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmm>, <mailto:dmm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Oct 2019 12:47:08 -0000
Reviewer: Vincent Roca Review result: Has Nits Hello, I have reviewed this document as part of the security directorate’s ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Summary: Almost ready / has nits RFC4832 is a nice document that explains in detail security threats for the class of mobility management protocol PMIPv6 belongs to. It is referenced by RFC5213 which itself is referenced by the current document. Therefore I think that an interested reader can find the requiered information. However, the small text of section 6 that refers to RFC5213 and updates a few sentences to apply RFC5213 recommendations to MAARs, is misleading in my opinion. It suggests there is a single threat, the impersonation of a MAAR, and since using IPsec eliminates this threat, a reader can easily conclude there's nothing else. But what about the other benefits of using IPsec? Is the use of IPsec only for endpoint authentication (what I understand)? What about anti-replay, integrity, confidentiality? Is it meaningless in the present context? By the way, what is the attacker model? The subject is too complex, the risks are too varied, and I don't like this way of presenting things that overly simplifies the problems. Clarification on a different topic: This is a detail, but the document refers to the S-MAAR's global address or P-MAAR's global address as if there was a necessarily a single address. What happens if a MAAR has multiple global addresses? It may happen with a router that is multiply connected to the Internet. Cheers. Vincent
- [DMM] Secdir last call review of draft-ietf-dmm-p… Vincent Roca via Datatracker