[Hipsec] mm-03 CBA fixes
"Henderson, Thomas R" <thomas.r.henderson@boeing.com> Thu, 13 April 2006 15:20 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FU3cC-0002fi-Tk; Thu, 13 Apr 2006 11:20:12 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FU3cB-0002fd-At for hipsec@ietf.org; Thu, 13 Apr 2006 11:20:11 -0400
Received: from stl-smtpout-01.boeing.com ([130.76.96.56]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FU3cA-00006J-06 for hipsec@ietf.org; Thu, 13 Apr 2006 11:20:11 -0400
Received: from stl-av-01.boeing.com ([192.76.190.6]) by stl-smtpout-01.boeing.com (8.9.2.MG.10092003/8.8.5-M2) with ESMTP id KAA10025; Thu, 13 Apr 2006 10:19:46 -0500 (CDT)
Received: from XCH-NWBH-11.nw.nos.boeing.com (localhost [127.0.0.1]) by stl-av-01.boeing.com (8.11.3/8.11.3/MBS-AV-LDAP-01) with ESMTP id k3DFJjN26902; Thu, 13 Apr 2006 10:19:45 -0500 (CDT)
Received: from XCH-NW-5V1.nw.nos.boeing.com ([130.247.55.44]) by XCH-NWBH-11.nw.nos.boeing.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 13 Apr 2006 08:19:40 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Thu, 13 Apr 2006 08:19:39 -0700
Message-ID: <77F357662F8BFA4CA7074B0410171B6D01A2F00D@XCH-NW-5V1.nw.nos.boeing.com>
In-Reply-To: <77F357662F8BFA4CA7074B0410171B6D01A2EFB1@XCH-NW-5V1.nw.nos.boeing.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: mm-03 CBA fixes
Thread-Index: AcZXNp9zVFlWgAyoQAqsLCJ8SQG/OwCVan9wAV9pt+A=
From: "Henderson, Thomas R" <thomas.r.henderson@boeing.com>
To: Miika Komu <miika@iki.fi>, hipsec@ietf.org
X-OriginalArrivalTime: 13 Apr 2006 15:19:40.0295 (UTC) FILETIME=[AF109170:01C65F0D]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: d185fa790257f526fedfd5d01ed9c976
Cc:
Subject: [Hipsec] mm-03 CBA fixes
X-BeenThere: hipsec@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/hipsec>
List-Post: <mailto:hipsec@lists.ietf.org>
List-Help: <mailto:hipsec-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@lists.ietf.org?subject=subscribe>
Errors-To: hipsec-bounces@lists.ietf.org
Returning to the mm draft comments from Miika. > > > > > Figure 10. > > > > Can the "+ address change" in the lower left corner be removed? > > > > I will check with Christian about this figure, as your question has > raised also a question in my mind whether it is correct. > Christian has provided the following corrected figure. +-------+ +-------+ | A | | B | +-------+ +-------+ | | address |------------------------------->| credit += size(packet) ACTIVE | | |------------------------------->| credit += size(packet) |<-------------------------------| don't change credit | | + address change | + address verification starts | address |<-------------------------------| credit -= size(packet) UNVERIFIED |------------------------------->| credit += size(packet) |<-------------------------------| credit -= size(packet) | | |<-------------------------------| credit -= size(packet) | X credit < size(packet) | | => do not send packet! + address verification concludes | address | | ACTIVE |<-------------------------------| don't change credit | | Figure 10: Readdressing Scenario In the course of revising this, I discussed with Christian some additional clarifying text and would like to propose the following text that we worked out together: - Section 3.3.2: Add the following sentence right before the figure: "Not shown in Figure 10 are the results of credit aging (Section 5.5.2), a mechanism used to dampen possible time-shifting attacks." - Section 5.5: At the beginning of this section (before reaching 5.5.1) add: "To prevent redirection-based flooding attacks, the use of a Credit-Based Authorization (CBA) approach is mandatory when a host sends data to an UNVERIFIED locator. The following algorithm meets the security considerations for prevention of amplification and time-shifting attacks. Other forms of credit aging--- and other values for the CreditAgingFactor and CreditAgingInterval parameters in particular--- are for further study, and so are the advanced CBA techniques specified in [1]." [1] http://doc.tm.uka.de/2005/draft-vogt-mobopts-credit-based-authorization- 00.txt (note to Christian: This document [1] will need some official status or republishing as a technical report) - Section 6. Add the following sentence just before starting Section 6.1: "Security considerations for Credit-Based Authorization are discussed in [2]." [2] http://doc.tm.uka.de/2006/draft-vogt-mobopts-simple-cba-00.txt (note: Christian says that he is working with Jari to publish this draft) Tom _______________________________________________ Hipsec mailing list Hipsec@lists.ietf.org https://www1.ietf.org/mailman/listinfo/hipsec
- [Hipsec] some comments for mm-03 Miika Komu
- Re: [Hipsec] some comments for mm-03 Miika Komu
- Re: [Hipsec] some comments for mm-03 Miika Komu
- Re: [Hipsec] some comments for mm-03 Miika Komu
- RE: [Hipsec] some comments for mm-03 Henderson, Thomas R
- RE: [Hipsec] some comments for mm-03 Miika Komu
- Re: [Hipsec] some comments for mm-03: CLOSE vs. U… Pekka Nikander
- Re: [Hipsec] some comments for mm-03: including E… Pekka Nikander
- Re: [Hipsec] some comments for mm-03: Section 6 Pekka Nikander
- Re: [Hipsec] some comments for mm-03: CLOSE vs. U… Jan Mikael Melen
- Re: [Hipsec] some comments for mm-03: CLOSE vs. U… Miika Komu
- Re: [Hipsec] some comments for mm-03: including E… Miika Komu
- Re: [Hipsec] some comments for mm-03: Section 6 Miika Komu
- Re: [Hipsec] some comments for mm-03: including E… Pekka Nikander
- Re: [Hipsec] some comments for mm-03: including E… Miika Komu
- RE: [Hipsec] some comments for mm-03: including E… Henderson, Thomas R
- [Hipsec] mm-03 CBA fixes Henderson, Thomas R
- RE: [Hipsec] some comments for mm-03 Henderson, Thomas R
- Re: [Hipsec] mm-03 CBA fixes Pekka Nikander
- Re: [Hipsec] mm-03 CBA fixes Christian Vogt
- RE: [Hipsec] some comments for mm-03 Miika Komu
- Re: [Hipsec] mm-03 CBA fixes Pekka Nikander
- Re: [Hipsec] mm-03 CBA fixes Christian Vogt
- RE: [Hipsec] some comments for mm-03 Henderson, Thomas R
- RE: [Hipsec] some comments for mm-03: including E… Henderson, Thomas R
- RE: [Hipsec] some comments for mm-03 Henderson, Thomas R
- RE: [Hipsec] some comments for mm-03 Henderson, Thomas R
- RE: [Hipsec] some comments for mm-03 Miika Komu