Re: [dna] next steps on draft-ietf-dna-simple

"Bernard Aboba" <bernard_aboba@hotmail.com> Thu, 10 December 2009 01:04 UTC

Return-Path: <bernard_aboba@hotmail.com>
X-Original-To: dna@core3.amsl.com
Delivered-To: dna@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 259B83A684C; Wed, 9 Dec 2009 17:04:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.619
X-Spam-Level:
X-Spam-Status: No, score=-1.619 tagged_above=-999 required=5 tests=[AWL=0.980, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wWFXjjFK8TZJ; Wed, 9 Dec 2009 17:04:36 -0800 (PST)
Received: from blu0-omc3-s13.blu0.hotmail.com (blu0-omc3-s13.blu0.hotmail.com [65.55.116.88]) by core3.amsl.com (Postfix) with ESMTP id E4B0A3A6803; Wed, 9 Dec 2009 17:04:35 -0800 (PST)
Received: from BLU137-DS1 ([65.55.116.74]) by blu0-omc3-s13.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 9 Dec 2009 17:04:25 -0800
X-Originating-IP: [131.107.0.72]
X-Originating-Email: [bernard_aboba@hotmail.com]
Message-ID: <BLU137-DS1F32A2E3E81C6B537AB94938D0@phx.gbl>
From: "Bernard Aboba" <bernard_aboba@hotmail.com>
To: "'Suresh Krishnan'" <suresh.krishnan@ericsson.com>, "'Jari Arkko'" <jari.arkko@piuha.net>
References: <4B0655CB.2040309@piuha.net> <4B203D25.5090409@ericsson.com>
In-Reply-To: <4B203D25.5090409@ericsson.com>
Date: Wed, 9 Dec 2009 17:04:25 -0800
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Acp5LdP0gI6yz8TETPelB8CIwuzwvwABk7Kw
Content-Language: en-us
X-OriginalArrivalTime: 10 Dec 2009 01:04:25.0006 (UTC) FILETIME=[B7109CE0:01CA7934]
Cc: 'DNA' <dna@eng.monash.edu.au>, dna@ietf.org, 'Lars Eggert' <lars.eggert@nokia.com>, 'IESG' <iesg@ietf.org>, draft-ietf-dna-simple@tools.ietf.org
Subject: Re: [dna] next steps on draft-ietf-dna-simple
X-BeenThere: dna@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNA working group mailing list <dna.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dna>, <mailto:dna-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dna>
List-Post: <mailto:dna@ietf.org>
List-Help: <mailto:dna-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dna>, <mailto:dna-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Dec 2009 01:04:37 -0000

> 3) An additional security consideration issue was brought in secdir
review.
> 
>   Please add the following text to the end of the security
>   considerations section:
> 
>   The DNA procedure does not in itself provide positive, secure 
>   authentication of the router(s) on the network, or authentication of
>   the network itself, as e.g. would be provided by mutual authentication
>   at the link layer. Therefore when such assurance is not available, the
>   host MUST NOT make any security-sensitive decisions based on the DNA
>   procedure. In particular, it MUST NOT decide it has rejoined a network
>   known to be physically secure, and proceed to abandon cryptographic
>   protection.

This text doesn't make sense.  In the case where DNA is based on SEND, DNA
does provide positive,
secure authentication of the router(s) on the network.  Also, the document
describes how 
secure address determination, where present, takes precedence over DNA.