IETF Logo Mail Archive

Re: [DMM] Alexey Melnikov's No Objection on draft-ietf-dmm-lma-controlled-mag-params-04: (with COMMENT)

"Sri Gundavelli (sgundave)" <sgundave@cisco.com> Mon, 15 May 2017 03:01 UTC

Return-Path: <sgundave@cisco.com>
X-Original-To: dmm@ietfa.amsl.com
Delivered-To: dmm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02DAA129541; Sun, 14 May 2017 20:01:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.523
X-Spam-Level:
X-Spam-Status: No, score=-14.523 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EazVD3H_VINI; Sun, 14 May 2017 20:01:06 -0700 (PDT)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF552129490; Sun, 14 May 2017 19:57:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3030; q=dns/txt; s=iport; t=1494817033; x=1496026633; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=5hy/PBYcT8iSx9SLWwyenYFib6ivfemDW2gx6gfLYb4=; b=i2VrFkCIsJ0tDAMY32R36UmI9FlMPMTYgpRqrYGk283wVgU0jTUV81Ot jmEB6RJy0OlY5Bh0js0H6zyWdruvWsgZJQZCuGqpMCzB/4TGebXoxq1ai +CtVeDYeSGReimQNbDOPpUuGEx4jbfcZ71+faNY5gl/yMAeNFu9TATRcQ o=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CYAABqGBlZ/5FdJa1cGQEBAQEBAQEBAQEBBwEBAQEBgyorgW4HjXyRXpV1gg+GJAKFGT8YAQIBAQEBAQEBayiFGQEFZxIQAgEIGC4yJQIEAQ0FiiOvbIpCAQEBAQEBAQEBAQEBAQEBAQEBAR+GX4R5hGOFcgEEiUSHIY0lAZMaggSFO4oslEIBHziBCnAVhT0cGYFKdodSgQ0BAQE
X-IronPort-AV: E=Sophos;i="5.38,342,1491264000"; d="scan'208";a="424648573"
Received: from rcdn-core-9.cisco.com ([173.37.93.145]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 15 May 2017 02:57:11 +0000
Received: from XCH-ALN-019.cisco.com (xch-aln-019.cisco.com [173.36.7.29]) by rcdn-core-9.cisco.com (8.14.5/8.14.5) with ESMTP id v4F2vBIx031112 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 15 May 2017 02:57:11 GMT
Received: from xch-aln-008.cisco.com (173.36.7.18) by XCH-ALN-019.cisco.com (173.36.7.29) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Sun, 14 May 2017 21:57:11 -0500
Received: from xch-aln-008.cisco.com ([173.36.7.18]) by XCH-ALN-008.cisco.com ([173.36.7.18]) with mapi id 15.00.1210.000; Sun, 14 May 2017 21:57:11 -0500
From: "Sri Gundavelli (sgundave)" <sgundave@cisco.com>
To: Ben Campbell <ben@nostrum.com>, "Dhananjay Patki (dhpatki)" <dhpatki@cisco.com>
CC: Mirja Kühlewind <ietf@kuehlewind.net>, Alexey Melnikov <aamelnikov@fastmail.fm>, The IESG <iesg@ietf.org>, "draft-ietf-dmm-lma-controlled-mag-params@ietf.org" <draft-ietf-dmm-lma-controlled-mag-params@ietf.org>, Dapeng Liu <max.ldp@alibaba-inc.com>, "dmm-chairs@ietf.org" <dmm-chairs@ietf.org>, "dmm@ietf.org" <dmm@ietf.org>
Thread-Topic: Alexey Melnikov's No Objection on draft-ietf-dmm-lma-controlled-mag-params-04: (with COMMENT)
Thread-Index: AQHSzSbyzETLmGjWGkiJt6y6vCofgg==
Date: Mon, 15 May 2017 02:57:10 +0000
Message-ID: <D53E6302.276F94%sgundave@cisco.com>
References: <149199352865.15645.2318473152126054699.idtracker@ietfa.amsl.com> <7D444A20-2C3B-46FE-BB25-79BE67018A8F@cisco.com> <646D4962-4826-450C-9F85-AFA4576C315A@nostrum.com>
In-Reply-To: <646D4962-4826-450C-9F85-AFA4576C315A@nostrum.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.7.1.161129
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.32.246.211]
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <160F06E650529B4A9DB9BEB07112DD81@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmm/bo4p7WyMzjL7DIeieD9k2jwP_kg>
Subject: Re: [DMM] Alexey Melnikov's No Objection on draft-ietf-dmm-lma-controlled-mag-params-04: (with COMMENT)
X-BeenThere: dmm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Distributed Mobility Management Working Group <dmm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmm>, <mailto:dmm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmm/>
List-Post: <mailto:dmm@ietf.org>
List-Help: <mailto:dmm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmm>, <mailto:dmm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 May 2017 03:01:08 -0000

Hi Ben,


>Security Considerations: Seems like more is needed here. Do you mean to
>say that none of these parameters add any security considerations that
>were not there for existing headers? If that's the case, please say so,
>and why people believe that to be the case.

The option defined in this draft, ³LMA Controlled MAG Parameters² option
and its sub-options) are standard mobility options. The base specification
(RFC5213) provides the security framework for carrying any mobility
options securely in the PMIPv6 signaling messages and hence does not
require any additional security consideration from the point of the
transport security. Now, with respect to the content carried in these
options and their privacy, these are configuration timers with no privacy
tags. Exposing the content of these mobility options to an intruder does
not introduce any new security threats. Furthermore, the base PMIPv6
document specifies the use of IPSec for security the signaling message.
Operators can potentially use ESP with integrity and with privacy
protection for security the messages. So,  I tend to think the text in the
security consideration and in conjunction with the text in RFC5213
adequately cover all the security aspects.


Regards
Sri







On 5/12/17, 3:11 PM, "Ben Campbell" <ben@nostrum.com> wrote:

>The latest attached version resolves my editorial comments. However, it
>does not resolve my one substantive comment.
>
>> On May 9, 2017, at 11:09 AM, Dhananjay Patki (dhpatki)
>><dhpatki@cisco.com> wrote:
>> 
>> ----------------------------------------------------------------------
>> Ben Campbell
>> ----------------------------------------------------------------------
>> 
>> Substantive:
>> 
>> Security Considerations: Seems like more is needed here. Do you mean to
>> say that none of these parameters add any security considerations that
>> were not there for existing headers? If that's the case, please say so,
>> and why people believe that to be the case.
>
>The attached version modifies the text to say that the new parameters
>here inherit the guidelines from RFC5213.
>
>My point was to say that this draft creates a way to send new kinds of
>options. Is the content of these new parameters similar enough to those
>from RFC 5213 that those guidelines still apply? Does the ability to
>change the re-registration and heartbeat frequencies fall sufficiently
>into those existing guidelines that nothing else needs to be said? If so,
>then it would be helpful to say that. But if those new capabilities are
>materially different than previous ones, then some text that describes
>how they are different, ways they could be abused, and any mechanisms
>that can mitigate that abuse.
>
>For the record, I am not saying that I believe that these new
>capabilities create new vulnerabilities. But the security considerations
>should help the reader understand whether that is true or not.
>
>Thanks!
>
>Ben.
>
>

v2.23.0 | Report a Bug | By Email