Re: [DMM] Kathleen Moriarty's Discuss on draft-ietf-dmm-mag-multihoming-04: (with DISCUSS)
"Sri Gundavelli (sgundave)" <sgundave@cisco.com> Thu, 17 August 2017 03:04 UTC
Return-Path: <sgundave@cisco.com>
X-Original-To: dmm@ietfa.amsl.com
Delivered-To: dmm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B104132659; Wed, 16 Aug 2017 20:04:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.519
X-Spam-Level:
X-Spam-Status: No, score=-14.519 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0DesHhrg-BE7; Wed, 16 Aug 2017 20:04:04 -0700 (PDT)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8817132626; Wed, 16 Aug 2017 20:04:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=18584; q=dns/txt; s=iport; t=1502939042; x=1504148642; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=qdKlP+XoG3DcmU1JeFHHfc3YO3Ms4KqDa6id+4Ftv34=; b=gUifzfhPxRhu3WTANAMl994LdRmKLKIvqdns2sg43JruQR4GeT7v7e9g IFXtMnfzBOc/Y8MjUNpjcZK3hE35KoWIHwHO4iAGaq7yXncDRcVBqDSXp fbC/Y0dEpZdTVHO4U+jGYOmYPp2w2takhWhF8v51Fq8q1Sq91D5pa3jxC c=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DrAABOB5VZ/49dJa1dGQEBAQEBAQEBAQEBBwEBAQEBgm9rZIEVB4RTiTiQEoFuiDiILIU2DoIELIRMTwKERj8YAQIBAQEBAQEBayiFGQEEAXIHBQsCAQYCPwchERQRAgQBDQUbiTFMAw0IEIw2oAqHPA2EFgEBAQEBAQEBAQEBAQEBAQEBAQEBARgFgyiCAoFMgWODJ4JXgWkBCwYCARsKLwKFPAWJfocXhwaHcTwCh1KHeIR2ghCFYIN7hnGJaIJOiWQBHzh/C3cVSYVMgU52AYcoAiQHgQWBDwEBAQ
X-IronPort-AV: E=Sophos;i="5.41,385,1498521600"; d="scan'208,217";a="472628853"
Received: from rcdn-core-7.cisco.com ([173.37.93.143]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 17 Aug 2017 03:04:01 +0000
Received: from XCH-RCD-007.cisco.com (xch-rcd-007.cisco.com [173.37.102.17]) by rcdn-core-7.cisco.com (8.14.5/8.14.5) with ESMTP id v7H341vL001866 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 17 Aug 2017 03:04:01 GMT
Received: from xch-aln-008.cisco.com (173.36.7.18) by XCH-RCD-007.cisco.com (173.37.102.17) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Wed, 16 Aug 2017 22:04:00 -0500
Received: from xch-aln-008.cisco.com ([173.36.7.18]) by XCH-ALN-008.cisco.com ([173.36.7.18]) with mapi id 15.00.1210.000; Wed, 16 Aug 2017 22:04:01 -0500
From: "Sri Gundavelli (sgundave)" <sgundave@cisco.com>
To: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>, The IESG <iesg@ietf.org>
CC: "draft-ietf-dmm-mag-multihoming@ietf.org" <draft-ietf-dmm-mag-multihoming@ietf.org>, Jouni Korhonen <jouni.nospam@gmail.com>, "dmm-chairs@ietf.org" <dmm-chairs@ietf.org>, "dmm@ietf.org" <dmm@ietf.org>
Thread-Topic: Kathleen Moriarty's Discuss on draft-ietf-dmm-mag-multihoming-04: (with DISCUSS)
Thread-Index: AQHTFwV5phU5hY4eRk6/IO/vBdSuEQ==
Date: Thu, 17 Aug 2017 03:04:01 +0000
Message-ID: <D5BA4FC7.287B1F%sgundave@cisco.com>
References: <150161840636.12123.2784912255737760138.idtracker@ietfa.amsl.com>
In-Reply-To: <150161840636.12123.2784912255737760138.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.7.1.161129
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.20.188.62]
Content-Type: multipart/alternative; boundary="_000_D5BA4FC7287B1Fsgundaveciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmm/c4tN-8LSfMhOk6KobDxpo9gMF5s>
Subject: Re: [DMM] Kathleen Moriarty's Discuss on draft-ietf-dmm-mag-multihoming-04: (with DISCUSS)
X-BeenThere: dmm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Distributed Mobility Management Working Group <dmm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmm>, <mailto:dmm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmm/>
List-Post: <mailto:dmm@ietf.org>
List-Help: <mailto:dmm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmm>, <mailto:dmm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Aug 2017 03:04:08 -0000
Hi Kathleen and Hilarie, Thank you for reviewing the documents and the feedback. Please see inline. > For security considerations, the authors predictably defer to RFC5213, “Proxy Mobile IPv6”, and assert "no impact on the protocol security". However, there is one security issue that is mentioned in RFC5213 that is exacerbated by the current draft. I.e., > To address the threat related to a compromised mobile access gateway, the local mobility anchor, before accepting a Proxy Binding Update message for a given mobile node, may ensure that the mobile node is attached to the mobile access gateway that sent the Proxy Binding Update message. A MAG is required to prove the presence of a mobile node’s presence on its (ingress) access link. That assertion needs to be validated by the LMA. But, MAG using a single tunnel or multiple tunnels has no relation to this issue. The LMA identifies the MAG using the MAG-NAI and not using Care-of Address; a new option, MAG Identifier option is defined in section 4.2 for this purpose. > Is there any reason to worry about reuse of CoAs? Could packets from one tunnel get a CoA that was recently used by another tunnel, and could delayed packets get routed through the wrong tunnel? Just asking. The tunnels between LMA and MAG are dynamically established after protocol signaling. The idea of CoA re-use between MAG’s and delayed packets getting delivered to a different MAG is impossible to realize even in lab conditions. It is possible there are two MAG’s in a given access network and one looses the CoA and the other MAG gets the name address. But, the tunnels comes up after PBU/PBA exchange which introduces some delay, and so the possibility of packets from previous MAG-era getting showing up at the new MAG is nearly impossible and is not worth mentioning it, IMO. > Nits. On page 3 there is a paragraph beginning “In the continuation of c, a Proxy Mobile IPv6 ..." There is no explanation of “c". Is this a remnant of a list of items "a, b, c"? Fixed in -04 version > On page 4 there is Figure 1 showing four flows and two tunnels. The We just wanted to hint that the Flow-4 is based on per-packet load balancing using both the paths, whereas the other flows are routed based on Per-flow load balancing. But, I think the comment is still valid. We should show the use of a single forwarding mode and not mix both the modes. Minor nit, will fix it. Thank you for your review. Regards Sri ————————————————— Security review of MAG Multipath Binding Option draft-ietf-dmm-mag-multihoming-03.txt Do not be alarmed. I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. If you've been frustrated by being limited to only one IP tunnel between a mobile access gateway and a local mobility anchor, then you'll be glad to know that this draft fixes the problem and enables multiple care-of addresses and IP tunnels. Now mobile devices can be assigned to any applicable tunnel between the MAG and the LMA. For security considerations, the authors predictably defer to RFC5213, "Proxy Mobile IPv6", and assert "no impact on the protocol security". However, there is one security issue that is mentioned in RFC5213 that is exacerbated by the current draft. I.e., To address the threat related to a compromised mobile access gateway, the local mobility anchor, before accepting a Proxy Binding Update message for a given mobile node, may ensure that the mobile node is attached to the mobile access gateway that sent the Proxy Binding Update message. The RFC has no recommendation for a solution, but because there are now multiple tunnels, this assurance may be more difficult to obtain. For example, if the LMA expects to contact some kind of trusted entity that is keeping track of the mobile devices that the MAG is sending on a tunnel, then the MAG and LMA may now have to keep track of multiple trusted entities, one for each tunnel. Whether or not this is a realistic scenario is not something that I can judge because RFC5213 punts on what seems to be an important security issue. Is there any reason to worry about reuse of CoAs? Could packets from one tunnel get a CoA that was recently used by another tunnel, and could delayed packets get routed through the wrong tunnel? Just asking. Nits. On page 3 there is a paragraph beginning "In the continuation of c, a Proxy Mobile IPv6 ..." There is no explanation of "c". Is this a remnant of a list of items "a, b, c"? On page 4 there is Figure 1 showing four flows and two tunnels. The text immediately preceding that says that "Flow-1,2 and 3 are distributed either on Tunnel-1 (over LTE) or Tunnel-2 (over WLAN)", but the diagram shows Flow-1 on Tunnel-1 and Flow-2,3 on Tunnel-2. I think the text should indicate that the first three flows are each assigned to a single tunnel. The authors probably meant that either Tunnel-1 or Tunnel-2 could have been assigned, but the choice was to put Flow-1 on Tunnel-1 and the other flows on Tunnel-2. I had to read over the text several times before I was sure of the intent. Hilarie On 8/1/17, 1:13 PM, "Kathleen Moriarty" <Kathleen.Moriarty.ietf@gmail.com<mailto:Kathleen.Moriarty.ietf@gmail.com>> wrote: Kathleen Moriarty has entered the following ballot position for draft-ietf-dmm-mag-multihoming-04: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-dmm-mag-multihoming/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Thanks for your work on this draft. I had the same concern as the SecDir reviewer in reading the draft, the concern about leaking traffic as a result of multiple tunnels is not addressed in the security considerations section. Hilary's writeup is quite helpful https://www.ietf.org/mail-archive/web/secdir/current/msg07446.html
- [DMM] Kathleen Moriarty's Discuss on draft-ietf-d… Kathleen Moriarty
- Re: [DMM] Kathleen Moriarty's Discuss on draft-ie… pierrick.seite
- Re: [DMM] Kathleen Moriarty's Discuss on draft-ie… Sri Gundavelli (sgundave)
- Re: [DMM] Kathleen Moriarty's Discuss on draft-ie… Kathleen Moriarty
- Re: [DMM] Kathleen Moriarty's Discuss on draft-ie… Sri Gundavelli (sgundave)