Re: [DMM] Kathleen Moriarty's Discuss on draft-ietf-dmm-mag-multihoming-04: (with DISCUSS)
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Thu, 17 August 2017 14:05 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: dmm@ietfa.amsl.com
Delivered-To: dmm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49AA013242C; Thu, 17 Aug 2017 07:05:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zFAt_UhedXbu; Thu, 17 Aug 2017 07:05:34 -0700 (PDT)
Received: from mail-pg0-x22d.google.com (mail-pg0-x22d.google.com [IPv6:2607:f8b0:400e:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3F71132063; Thu, 17 Aug 2017 07:05:33 -0700 (PDT)
Received: by mail-pg0-x22d.google.com with SMTP id i12so43711930pgr.3; Thu, 17 Aug 2017 07:05:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=83XzUYB2JPOgQUQGZ9/XOOhyILlpySepW2H0RCdx2w0=; b=CcdIOKhvQgBnYFVcFAgYhVRpwECL9YOahBflH0nyZ8OaDfujWIGRz4tLE+Y6gm8Z9y BTJmCPnExbVfPZTVjNwMlyiPti1kAV1KgsghqmLJS96tnUV7P6tb6K0syR4+0A88ot89 gSQ4+yHhAappkbKXfEWHvXmKu9qtbUr5XbnDScwlGuHPx/RLWVwnAy/+85SBGhHip/yf OvRQxvbRRKYCWr6FchEs/jb/cI/0CB+RxWc1cYbEqEeSL2J3AKH8KeMBCcTOaIC/gm6g N4OO4ayCQ0TNIUasCfttUtpwdKMT0fYR+/rpTHrVlNZ/uphV6Tce4DO0ubTld71DBVc0 ybjQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=83XzUYB2JPOgQUQGZ9/XOOhyILlpySepW2H0RCdx2w0=; b=BHKEHsYVomVsJ2Z3Kq4Zl0FvzKoXu4XDukIT6xt+Tp9sNN+hrDDu20wjxwCYeQBaio 7hkTohg8XkZBK3pkZw7XppeygR4KD4NtQ0QLyrwujOCWB0MaYLA8hQFDzX3C0nfEwjuR s8WhXo9iIMtt/N8A+1vtVnjdS6aiKlCUCnY4QQRTrxvFvSJn9xr4u7WpuYzwy7Yoib+c zltNe9QJioTToESBmqmDBaFPOLUG7Q9o+tEeq4URPFcOfqZy7I9GuXa+PDCQmMrvoS1w ZsEAmpDEBNnlyhz4xdp5+qu5bQh2JTXZphZ92MDTOFv1fCzw+EzfgTIbTxaT/DBe47GZ EmSw==
X-Gm-Message-State: AHYfb5hJ2eMDNU3C7uxgP3ESbhCKidbL1FgbexiwRJWAVIvhTsSmOfxw f8Bkmp1h0SzTiDV3f53n5e6V43mnoQ==
X-Received: by 10.84.229.13 with SMTP id b13mr5945531plk.352.1502978733293; Thu, 17 Aug 2017 07:05:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.144.1 with HTTP; Thu, 17 Aug 2017 07:04:52 -0700 (PDT)
In-Reply-To: <D5BA4FC7.287B1F%sgundave@cisco.com>
References: <150161840636.12123.2784912255737760138.idtracker@ietfa.amsl.com> <D5BA4FC7.287B1F%sgundave@cisco.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Thu, 17 Aug 2017 10:04:52 -0400
Message-ID: <CAHbuEH6n9WnTZNKHk_rF9sKERQo=5c=9U0xmXdmxB56wCGsx0A@mail.gmail.com>
To: "Sri Gundavelli (sgundave)" <sgundave@cisco.com>
Cc: The IESG <iesg@ietf.org>, "draft-ietf-dmm-mag-multihoming@ietf.org" <draft-ietf-dmm-mag-multihoming@ietf.org>, Jouni Korhonen <jouni.nospam@gmail.com>, "dmm-chairs@ietf.org" <dmm-chairs@ietf.org>, "dmm@ietf.org" <dmm@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmm/nwTET7JDZ-Npvp7quDVCtPLRspg>
Subject: Re: [DMM] Kathleen Moriarty's Discuss on draft-ietf-dmm-mag-multihoming-04: (with DISCUSS)
X-BeenThere: dmm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Distributed Mobility Management Working Group <dmm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmm>, <mailto:dmm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmm/>
List-Post: <mailto:dmm@ietf.org>
List-Help: <mailto:dmm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmm>, <mailto:dmm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Aug 2017 14:05:36 -0000
Good morning, On Wed, Aug 16, 2017 at 11:04 PM, Sri Gundavelli (sgundave) <sgundave@cisco.com> wrote: > Hi Kathleen and Hilarie, > > Thank you for reviewing the documents and the feedback. Please see inline. > > > >> For security considerations, the authors predictably defer to RFC5213, >> “Proxy Mobile IPv6”, and assert "no impact on the protocol security". >> However, there is one security issue that is mentioned in RFC5213 that is >> exacerbated by the current draft. I.e., > >> To address the threat related to a compromised mobile access gateway, the >> local mobility anchor, before accepting a Proxy Binding Update message for a >> given mobile node, may ensure that the mobile node is attached to the mobile >> access gateway that sent the Proxy Binding Update message. > > > A MAG is required to prove the presence of a mobile node’s presence on its > (ingress) access link. That assertion needs to be validated by the LMA. But, > MAG using a single tunnel or multiple tunnels has no relation to this issue. > The LMA identifies the MAG using the MAG-NAI and not using Care-of Address; > a new option, MAG Identifier option is defined in section 4.2 for this > purpose. > Could you add some text to the security considerations to explain why there is no concern then related to split tunneling/data leakage to the incorrect tunnel? > > > > >> Is there any reason to worry about reuse of CoAs? Could packets from one >> tunnel get a CoA that was recently used by another tunnel, and could delayed >> packets get routed through the wrong tunnel? Just asking. > > The tunnels between LMA and MAG are dynamically established after protocol > signaling. The idea of CoA re-use between MAG’s and delayed packets getting > delivered to a different MAG is impossible to realize even in lab > conditions. It is possible there are two MAG’s in a given access network and > one looses the CoA and the other MAG gets the name address. But, the tunnels > comes up after PBU/PBA exchange which introduces some delay, and so the > possibility of packets from previous MAG-era getting showing up at the new > MAG is nearly impossible and is not worth mentioning it, IMO. > > > > > >> Nits. On page 3 there is a paragraph beginning “In the continuation of c, >> a Proxy Mobile IPv6 ..." There is no explanation of “c". Is this a remnant >> of a list of items "a, b, c"? > > Fixed in -04 version > > > > > >> On page 4 there is Figure 1 showing four flows and two tunnels. The > > We just wanted to hint that the Flow-4 is based on per-packet load balancing > using both the paths, whereas the other flows are routed based on Per-flow > load balancing. But, I think the comment is still valid. We should show the > use of a single forwarding mode and not mix both the modes. Minor nit, will > fix it. Thank you for fixing this. Kathleen > > > Thank you for your review. > > > Regards > Sri > > > > > > > > ————————————————— > Security review of > MAG Multipath Binding Option > draft-ietf-dmm-mag-multihoming-03.txt > > Do not be alarmed. I have reviewed this document as part of the > security directorate's ongoing effort to review all IETF documents > being processed by the IESG. These comments were written primarily > for the benefit of the security area directors. Document editors and > WG chairs should treat these comments just like any other last call > comments. > > If you've been frustrated by being limited to only one IP tunnel > between a mobile access gateway and a local mobility anchor, then > you'll be glad to know that this draft fixes the problem and enables > multiple care-of addresses and IP tunnels. Now mobile devices can be > assigned to any applicable tunnel between the MAG and the LMA. > > For security considerations, the authors predictably defer to RFC5213, > "Proxy Mobile IPv6", and assert "no impact on the protocol security". > However, there is one security issue that is mentioned in RFC5213 that > is exacerbated by the current draft. I.e., > > To address the threat related to a compromised mobile access gateway, > the local mobility anchor, before accepting a Proxy Binding Update > message for a given mobile node, may ensure that the mobile node is > attached to the mobile access gateway that sent the Proxy Binding > Update message. > > The RFC has no recommendation for a solution, but because there are > now multiple tunnels, this assurance may be more difficult to obtain. > For example, if the LMA expects to contact some kind of trusted entity > that is keeping track of the mobile devices that the MAG is sending on > a tunnel, then the MAG and LMA may now have to keep track of multiple > trusted entities, one for each tunnel. Whether or not this is a > realistic scenario is not something that I can judge because RFC5213 > punts on what seems to be an important security issue. > > Is there any reason to worry about reuse of CoAs? Could packets from > one tunnel get a CoA that was recently used by another tunnel, and > could delayed packets get routed through the wrong tunnel? Just asking. > > Nits. On page 3 there is a paragraph beginning "In the continuation > of c, a Proxy Mobile IPv6 ..." There is no explanation of "c". Is > this a remnant of a list of items "a, b, c"? > > On page 4 there is Figure 1 showing four flows and two tunnels. The > text immediately preceding that says that "Flow-1,2 and 3 are > distributed either on Tunnel-1 (over LTE) or Tunnel-2 (over WLAN)", > but the diagram shows Flow-1 on Tunnel-1 and Flow-2,3 on Tunnel-2. > I think the text should indicate that the first three flows are > each assigned to a single tunnel. The authors probably meant that > either Tunnel-1 or Tunnel-2 could have been assigned, but the choice > was to put Flow-1 on Tunnel-1 and the other flows on Tunnel-2. > I had to read over the text several times before I was sure of the > intent. > > Hilarie > > On 8/1/17, 1:13 PM, "Kathleen Moriarty" <Kathleen.Moriarty.ietf@gmail.com> > wrote: > > Kathleen Moriarty has entered the following ballot position for > draft-ietf-dmm-mag-multihoming-04: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-dmm-mag-multihoming/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > Thanks for your work on this draft. I had the same concern as the SecDir > reviewer in reading the draft, the concern about leaking traffic as a result > of > multiple tunnels is not addressed in the security considerations section. > Hilary's writeup is quite helpful > > https://www.ietf.org/mail-archive/web/secdir/current/msg07446.html > > > > > -- Best regards, Kathleen
- [DMM] Kathleen Moriarty's Discuss on draft-ietf-d… Kathleen Moriarty
- Re: [DMM] Kathleen Moriarty's Discuss on draft-ie… pierrick.seite
- Re: [DMM] Kathleen Moriarty's Discuss on draft-ie… Sri Gundavelli (sgundave)
- Re: [DMM] Kathleen Moriarty's Discuss on draft-ie… Kathleen Moriarty
- Re: [DMM] Kathleen Moriarty's Discuss on draft-ie… Sri Gundavelli (sgundave)