IETF Logo Mail Archive

Re: [DMM] Kathleen Moriarty's Discuss on draft-ietf-dmm-mag-multihoming-04: (with DISCUSS)

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Thu, 17 August 2017 14:05 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: dmm@ietfa.amsl.com
Delivered-To: dmm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49AA013242C; Thu, 17 Aug 2017 07:05:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zFAt_UhedXbu; Thu, 17 Aug 2017 07:05:34 -0700 (PDT)
Received: from mail-pg0-x22d.google.com (mail-pg0-x22d.google.com [IPv6:2607:f8b0:400e:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3F71132063; Thu, 17 Aug 2017 07:05:33 -0700 (PDT)
Received: by mail-pg0-x22d.google.com with SMTP id i12so43711930pgr.3; Thu, 17 Aug 2017 07:05:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=83XzUYB2JPOgQUQGZ9/XOOhyILlpySepW2H0RCdx2w0=; b=CcdIOKhvQgBnYFVcFAgYhVRpwECL9YOahBflH0nyZ8OaDfujWIGRz4tLE+Y6gm8Z9y BTJmCPnExbVfPZTVjNwMlyiPti1kAV1KgsghqmLJS96tnUV7P6tb6K0syR4+0A88ot89 gSQ4+yHhAappkbKXfEWHvXmKu9qtbUr5XbnDScwlGuHPx/RLWVwnAy/+85SBGhHip/yf OvRQxvbRRKYCWr6FchEs/jb/cI/0CB+RxWc1cYbEqEeSL2J3AKH8KeMBCcTOaIC/gm6g N4OO4ayCQ0TNIUasCfttUtpwdKMT0fYR+/rpTHrVlNZ/uphV6Tce4DO0ubTld71DBVc0 ybjQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=83XzUYB2JPOgQUQGZ9/XOOhyILlpySepW2H0RCdx2w0=; b=BHKEHsYVomVsJ2Z3Kq4Zl0FvzKoXu4XDukIT6xt+Tp9sNN+hrDDu20wjxwCYeQBaio 7hkTohg8XkZBK3pkZw7XppeygR4KD4NtQ0QLyrwujOCWB0MaYLA8hQFDzX3C0nfEwjuR s8WhXo9iIMtt/N8A+1vtVnjdS6aiKlCUCnY4QQRTrxvFvSJn9xr4u7WpuYzwy7Yoib+c zltNe9QJioTToESBmqmDBaFPOLUG7Q9o+tEeq4URPFcOfqZy7I9GuXa+PDCQmMrvoS1w ZsEAmpDEBNnlyhz4xdp5+qu5bQh2JTXZphZ92MDTOFv1fCzw+EzfgTIbTxaT/DBe47GZ EmSw==
X-Gm-Message-State: AHYfb5hJ2eMDNU3C7uxgP3ESbhCKidbL1FgbexiwRJWAVIvhTsSmOfxw f8Bkmp1h0SzTiDV3f53n5e6V43mnoQ==
X-Received: by 10.84.229.13 with SMTP id b13mr5945531plk.352.1502978733293; Thu, 17 Aug 2017 07:05:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.144.1 with HTTP; Thu, 17 Aug 2017 07:04:52 -0700 (PDT)
In-Reply-To: <D5BA4FC7.287B1F%sgundave@cisco.com>
References: <150161840636.12123.2784912255737760138.idtracker@ietfa.amsl.com> <D5BA4FC7.287B1F%sgundave@cisco.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Thu, 17 Aug 2017 10:04:52 -0400
Message-ID: <CAHbuEH6n9WnTZNKHk_rF9sKERQo=5c=9U0xmXdmxB56wCGsx0A@mail.gmail.com>
To: "Sri Gundavelli (sgundave)" <sgundave@cisco.com>
Cc: The IESG <iesg@ietf.org>, "draft-ietf-dmm-mag-multihoming@ietf.org" <draft-ietf-dmm-mag-multihoming@ietf.org>, Jouni Korhonen <jouni.nospam@gmail.com>, "dmm-chairs@ietf.org" <dmm-chairs@ietf.org>, "dmm@ietf.org" <dmm@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmm/nwTET7JDZ-Npvp7quDVCtPLRspg>
Subject: Re: [DMM] Kathleen Moriarty's Discuss on draft-ietf-dmm-mag-multihoming-04: (with DISCUSS)
X-BeenThere: dmm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Distributed Mobility Management Working Group <dmm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmm>, <mailto:dmm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmm/>
List-Post: <mailto:dmm@ietf.org>
List-Help: <mailto:dmm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmm>, <mailto:dmm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Aug 2017 14:05:36 -0000

Good morning,

On Wed, Aug 16, 2017 at 11:04 PM, Sri Gundavelli (sgundave)
<sgundave@cisco.com> wrote:
> Hi Kathleen and Hilarie,
>
> Thank you for reviewing the documents and the feedback. Please see inline.
>
>
>
>> For security considerations, the authors predictably defer to RFC5213,
>> “Proxy Mobile IPv6”, and assert "no impact on the protocol security".
>> However, there is one security issue that is mentioned in RFC5213 that is
>> exacerbated by the current draft. I.e.,
>
>>  To address the threat related to a compromised mobile access gateway, the
>> local mobility anchor, before accepting a Proxy Binding Update message for a
>> given mobile node, may ensure that the mobile node is attached to the mobile
>> access gateway that sent the Proxy Binding Update message.
>
>
> A MAG is required to prove the presence of a mobile node’s presence on its
> (ingress) access link. That assertion needs to be validated by the LMA. But,
> MAG using a single tunnel or multiple tunnels has no relation to this issue.
> The LMA identifies the MAG using the MAG-NAI and not using Care-of Address;
> a new option, MAG Identifier option is defined in section 4.2 for this
> purpose.
>

Could you add some text to the security considerations to explain why
there is no concern then related to split tunneling/data leakage to
the incorrect tunnel?

>
>
>
>
>> Is there any reason to worry about reuse of CoAs? Could packets from one
>> tunnel get a CoA that was recently used by another tunnel, and could delayed
>> packets get routed through the wrong tunnel? Just asking.
>
> The tunnels between LMA and MAG are dynamically established after protocol
> signaling. The idea of CoA re-use between MAG’s and delayed packets getting
> delivered to a different MAG is impossible to realize even in lab
> conditions. It is possible there are two MAG’s in a given access network and
> one looses the CoA and the other MAG gets the name address. But, the tunnels
> comes up after PBU/PBA exchange which introduces some delay, and so the
> possibility of packets from previous MAG-era getting showing up at the new
> MAG is nearly impossible and is not worth mentioning it, IMO.
>
>
>
>
>
>> Nits. On page 3 there is a paragraph beginning “In the continuation of c,
>> a Proxy Mobile IPv6 ..." There is no explanation of “c". Is this a remnant
>> of a list of items "a, b, c"?
>
> Fixed in -04 version
>
>
>
>
>
>> On page 4 there is Figure 1 showing four flows and two tunnels. The
>
> We just wanted to hint that the Flow-4 is based on per-packet load balancing
> using both the paths, whereas the other flows are routed based on Per-flow
> load balancing. But, I think the comment is still valid. We should show the
> use of a single forwarding mode and not mix both the modes. Minor nit, will
> fix it.

Thank you for fixing this.
Kathleen

>
>
> Thank you for your review.
>
>
> Regards
> Sri
>
>
>
>
>
>
>
> —————————————————
> Security review of
> MAG Multipath Binding Option
> draft-ietf-dmm-mag-multihoming-03.txt
>
> Do not be alarmed. I have reviewed this document as part of the
> security directorate's ongoing effort to review all IETF documents
> being processed by the IESG. These comments were written primarily
> for the benefit of the security area directors. Document editors and
> WG chairs should treat these comments just like any other last call
> comments.
>
> If you've been frustrated by being limited to only one IP tunnel
> between a mobile access gateway and a local mobility anchor, then
> you'll be glad to know that this draft fixes the problem and enables
> multiple care-of addresses and IP tunnels. Now mobile devices can be
> assigned to any applicable tunnel between the MAG and the LMA.
>
> For security considerations, the authors predictably defer to RFC5213,
> "Proxy Mobile IPv6", and assert "no impact on the protocol security".
> However, there is one security issue that is mentioned in RFC5213 that
> is exacerbated by the current draft. I.e.,
>
> To address the threat related to a compromised mobile access gateway,
> the local mobility anchor, before accepting a Proxy Binding Update
> message for a given mobile node, may ensure that the mobile node is
> attached to the mobile access gateway that sent the Proxy Binding
> Update message.
>
> The RFC has no recommendation for a solution, but because there are
> now multiple tunnels, this assurance may be more difficult to obtain.
> For example, if the LMA expects to contact some kind of trusted entity
> that is keeping track of the mobile devices that the MAG is sending on
> a tunnel, then the MAG and LMA may now have to keep track of multiple
> trusted entities, one for each tunnel. Whether or not this is a
> realistic scenario is not something that I can judge because RFC5213
> punts on what seems to be an important security issue.
>
> Is there any reason to worry about reuse of CoAs? Could packets from
> one tunnel get a CoA that was recently used by another tunnel, and
> could delayed packets get routed through the wrong tunnel? Just asking.
>
> Nits. On page 3 there is a paragraph beginning "In the continuation
> of c, a Proxy Mobile IPv6 ..." There is no explanation of "c". Is
> this a remnant of a list of items "a, b, c"?
>
> On page 4 there is Figure 1 showing four flows and two tunnels. The
> text immediately preceding that says that "Flow-1,2 and 3 are
> distributed either on Tunnel-1 (over LTE) or Tunnel-2 (over WLAN)",
> but the diagram shows Flow-1 on Tunnel-1 and Flow-2,3 on Tunnel-2.
> I think the text should indicate that the first three flows are
> each assigned to a single tunnel. The authors probably meant that
> either Tunnel-1 or Tunnel-2 could have been assigned, but the choice
> was to put Flow-1 on Tunnel-1 and the other flows on Tunnel-2.
> I had to read over the text several times before I was sure of the
> intent.
>
> Hilarie
>
> On 8/1/17, 1:13 PM, "Kathleen Moriarty" <Kathleen.Moriarty.ietf@gmail.com>
> wrote:
>
> Kathleen Moriarty has entered the following ballot position for
> draft-ietf-dmm-mag-multihoming-04: Discuss
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-dmm-mag-multihoming/
>
>
>
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
>
> Thanks for your work on this draft.  I had the same concern as the SecDir
> reviewer in reading the draft, the concern about leaking traffic as a result
> of
> multiple tunnels is not addressed in the security considerations section.
> Hilary's writeup is quite helpful
>
> https://www.ietf.org/mail-archive/web/secdir/current/msg07446.html
>
>
>
>
>



-- 

Best regards,
Kathleen

v2.23.0 | Report a Bug | By Email