IETF Logo Mail Archive

Re: [ipwave] Roman Danyliw's Discuss on draft-ietf-ipwave-ipv6-over-80211ocb-49: (with DISCUSS and COMMENT)

Nabil Benamar <n.benamar@est.umi.ac.ma> Fri, 12 July 2019 05:00 UTC

Return-Path: <n.benamar@est.umi.ac.ma>
X-Original-To: its@ietfa.amsl.com
Delivered-To: its@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44F4A120077 for <its@ietfa.amsl.com>; Thu, 11 Jul 2019 22:00:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.6
X-Spam-Level:
X-Spam-Status: No, score=-0.6 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, PDS_NO_HELO_DNS=1.295, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=est-umi-ac-ma.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GtlmZqUHvETr for <its@ietfa.amsl.com>; Thu, 11 Jul 2019 22:00:39 -0700 (PDT)
Received: from mail-io1-xd2e.google.com (mail-io1-xd2e.google.com [IPv6:2607:f8b0:4864:20::d2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F5721200F8 for <its@ietf.org>; Thu, 11 Jul 2019 22:00:35 -0700 (PDT)
Received: by mail-io1-xd2e.google.com with SMTP id k20so17631112ios.10 for <its@ietf.org>; Thu, 11 Jul 2019 22:00:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=est-umi-ac-ma.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ePDqRbgJ5Xz10w7vUnmN/v6STRwJAVB1CYy/f2YNpN8=; b=ife0pTqiKHaTPiJ6XxYNVSTRvJHbehyHOQ22IvN7/uXJBpWopM8vYEKlKWTNEFWqe5 aQF9go6/92FOw2WaM5VMFitPcuKB1fODIA8jahzMADEhqKcd1iocu7erx053gJrH+IBb UCelUj+8u12Da5ML9rm6As2P6JRLWtFPVTdYbpaw368zHGTE0bLSZX/dJ0GdJCMWs1mL Btc10/TL9kG4ggWv7CJdUIa3gPc8Z/9f+sr3SqYa+UshXmhwE4mPJuGyfSsqNkrgNrHH 4EHsyLL49k/UXdrF8DjrtkDOHmmyb2mOEXodgDjQjzWylCOxKPN1Yj5+O3MzLu+36LAX pHiQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ePDqRbgJ5Xz10w7vUnmN/v6STRwJAVB1CYy/f2YNpN8=; b=aBJfULgAEHEMSSRnClYPmf9gqPfAGmXHQset5j0rX6P9n+2NTCnqHPRzbKsgEe2+gG jg1chkJQeeI4EaR/w/8AoB2GY4ee/CdKebNowQH6LyUK8HJWGL9DAGGDKNfEfgStEunI iJJ0n0muegC7uGZevYe42OiY/gD8H66cjCBT2N9JmU5ykaI7mcZk5eOCYid94nneRJPy AdzQt9+rWcKwbw5tL188nkng+esXO6PETaYx/1qzqUIxT2F/tZukRTzgvIqWN9N6QUa6 KMh+XKRD50s64wWdp0Mvmik0PLMgkl5LZv2SuvrkrTRGM+L5aXd9/oDdLheTg03thn6E nQZA==
X-Gm-Message-State: APjAAAXq1a/mWwV+79RxtGL03NaJy41qugpZbVAEdwnedPY6PwXiDO2D SVkVHY2X52VO6CSZNRmwvr5JnxLYdwit85JcAY8h6Q==
X-Google-Smtp-Source: APXvYqyfqXuaQp9GKayz6QNPU2Gzxe2gAGy0dslCbm6d80BvXLt/X8+O31WkeypZ2IlqmAxHtjFssQBVFtXXPBXo/9I=
X-Received: by 2002:a5d:8890:: with SMTP id d16mr8292787ioo.274.1562907634427; Thu, 11 Jul 2019 22:00:34 -0700 (PDT)
MIME-Version: 1.0
References: <156270262382.15819.8454309099280995022.idtracker@ietfa.amsl.com> <CAD8vqFdf7yTAVFeiz7t4qazhcrYjDcMOPPbvfwQy2xcA9GjQ2A@mail.gmail.com> <359EC4B99E040048A7131E0F4E113AFC01B33CE293@marchand>
In-Reply-To: <359EC4B99E040048A7131E0F4E113AFC01B33CE293@marchand>
From: Nabil Benamar <n.benamar@est.umi.ac.ma>
Date: Fri, 12 Jul 2019 06:00:58 +0100
Message-ID: <CAD8vqFexwdsqFQ4tUGdQpxvV=wWb1Y4GpZZtjCuyHZbH=vOqwA@mail.gmail.com>
To: Roman Danyliw <rdd@cert.org>
Cc: IESG <iesg@ietf.org>, draft-ietf-ipwave-ipv6-over-80211ocb@ietf.org, Carlos Bernardos <cjbc@it.uc3m.es>, "ipwave-chairs@ietf.org" <ipwave-chairs@ietf.org>, "its@ietf.org" <its@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005e003b058d74ca5f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/its/-3n1fj6489VdMabkol0s-frzVxQ>
Subject: Re: [ipwave] Roman Danyliw's Discuss on draft-ietf-ipwave-ipv6-over-80211ocb-49: (with DISCUSS and COMMENT)
X-BeenThere: its@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPWAVE - IP Wireless Access in Vehicular Environments WG at IETF <its.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/its>, <mailto:its-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/its/>
List-Post: <mailto:its@ietf.org>
List-Help: <mailto:its-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/its>, <mailto:its-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jul 2019 05:00:42 -0000

Hi Roman,


Thank you for your review.

I agree on the text you added, and the parts that should be removed.

I will update the draft as soon as the window is opened. I guess during
Montreal meeting.


Thanks again.



Yours.

On Fri, Jul 12, 2019, 02:50 Roman Danyliw <rdd@cert.org> wrote:

>
>
>
>
> *From:* Nabil Benamar [mailto:n.benamar@est.umi.ac.ma]
> *Sent:* Wednesday, July 10, 2019 7:37 AM
> *To:* Roman Danyliw <rdd@cert.org>
> *Cc:* The IESG <iesg@ietf.org>;
> draft-ietf-ipwave-ipv6-over-80211ocb@ietf.org; Carlos Bernardos <
> cjbc@it.uc3m.es>; ipwave-chairs@ietf.org; its@ietf.org
> *Subject:* Re: Roman Danyliw's Discuss on
> draft-ietf-ipwave-ipv6-over-80211ocb-49: (with DISCUSS and COMMENT)
>
>
>
> Hi Roman,
>
>
>
> Thank you for your detailed review. Let me start with the 'DISCUSS'
> comments.
>
>
>
> Please see my answers below.
>
>
>
> On Tue, Jul 9, 2019 at 9:03 PM Roman Danyliw via Datatracker <
> noreply@ietf.org> wrote:
>
> Roman Danyliw has entered the following ballot position for
> draft-ietf-ipwave-ipv6-over-80211ocb-49: Discuss
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-ipwave-ipv6-over-80211ocb/
>
>
>
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
>
> A few items per the text in the Security Considerations (Section 5):
>
> (1) Section 5.  Per “A previous work at SAVI WG identifies some threats
> [RFC6959], while SeND presented in [RFC3971] and [RFC3972] is a solution
> against address theft but it is complex and not deployed.”, a few
> questions:
>
> ** What specific threats from RFC6959 are of concern?  Which mitigations
> for
> them are being proposed?
>
> Since there is no Layer 2 security in OCB, anyone can join the same subnet and impersonate any only else, to source traffic and get the traffic back.
>
>
>
> [Roman] In this case, perhaps something more precise could be said:
>
>
>
> OLD:
>
>    The potential attack vectors are: MAC address spoofing, IP address
>
>     and session hijacking, and privacy violation Section 5.1.  A previous
>
>     work at SAVI WG identifies some threats [RFC6959], while SeND
>
>     presented in [RFC3971] and [RFC3972] is a solution against address
>
>    theft but it is complex and not deployed.
>
>
>
> NEW:
>
> When using OCB, no layer 2 security is provided.  Therefore, any node can join a subnet, directly communicate with any nodes on the subset to include potentially impersonating another node.  This design allows for a number of threats outlined in Section 3 of [RFC6959].  While not widely deployed, SeND [RFC3971] [RFC3972] is a solution that can address <insert qualifying statements on which subset of the threats in Section 3>”
>
> END
>
>
>
> There is no mitigation in this specification because it is limited to RFC 4861 and 4862 and SeND is not available in the current stacks.
>
>
>
> ** Why mention SeND if it is “complex and not deployed”?
>
>
>
> This was informational because it may be the only pertinent remediation.
>
>
>
>
> (2) Section 5.  Per “More IETF protocols are available in the toolbox of
> the IP
> security protocol designer.  Some ETSI protocols related to security
> protocols
> in ITS are described in [ETSI-sec-archi].”:
>
> ** Are there specific protocols to mention here?  Would they be
> different/OCB-specific than what was already noted in the beginning of the
> section -- “Any security mechanism as the IP layer or above that may be
> carried
> out …”?
>
> ** What specific ETSI protocols are being recommended from
> [ETSI-sec-archi]?
>
>
>
> This sentence is just informational. I propose to remove the whole
> sentence.
>
>
>
> [Roman] That works for me.
>
>
>
>
> (3) Section 5.2.  Per “An Interface ID SHOULD be of length specified in
> other
> documents”, what other documents?
>
> I'm afraid no other documents as mentioned by Alex in its reply. To be
> removed.
>
>
>
> [Roman] Removing the text works for me.
>
>
>
> Thanks,
>
> Roman
>
>
>
>
> (4) Section 5.3  I’m having trouble following this section – is this a
> discussion of a threat or mitigation?  The references to Section 4.4 and
> 5.0
> didn’t clarity this for me.
>
> ** What is meant by the drivers’ identity in this case?  What is the
> pseudonym
> scheme is being used to protect it or what requirements are being set for
> it?
>
> ** What are the specific challenges of concern around pseudo-anonymization
> approaches to which an allusion is made?
>
> ** Who is the trusted third parted needed?
>
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> (5) Section 1.  Per “The resulting stack inherits from IPv6 over Ethernet
> [RFC2462], but operates over …”, what exactly is being inherited?  What
> does
> “inherited” mean in this case?
>
> (6) Section 4.3.  Per “Among these types of addresses only the IPv6
> link-local
> addresses can be formed using an EUI-64 identifier, in particular during
> transition time”, the meaning of the “in particular during transition time
> isn’t clear to me.
>
> (7) Section 5.  Per “The OCB operation is stripped off of …”, is this
> sentence
> saying that OCB operations doesn’t use 802.11 link layer security
> mechanisms,
> or does the OCB operation actively remove (i.e., strips) 802.11 link layer
> security mechanisms?  I’m getting caught up in the use of “stripped off”.
>
> (8) Section 5, Per “Any attacker can therefore just sit in the near range
> of
> vehicles ... and performs attacks without needing to physically break any
> wall”, I’d recommend revising this sentence to reflect that it isn’t just
> vehicles and that active attacks are possible:
>
> NEW:
> Therefore, an attacker can sniff or inject traffic while within range of a
> vehicle or IP-RSU (by setting an interface card’s frequency to the proper
> range).
>
> (9) Section 5.  What is “protected 802.11” mentioned in “Such a link is
> less
> protected …”?
>
> (10) Section 5.2.  SHA256 needs a reference.
>
> (11) Editorial Nits
> ** Table of Contents.  There is odd spacing in the title of Appendix C
>
> ** Section 1.  Typo.  s/Appendicies/Appendices/
>
> ** Section 1.  Typo.  s/Concretly/Concretely/
>
> ** Section 1.  Editorial.  s/[RFC1042], [RFC2464] ./[RFC1042 and
> [RFC2464]./
>
> ** Multiple sections. Editorial, to make an RFC citation a reference.
> s/RFC2464/[RFC2464]/ and s/RFC 7217/[RFC7217]/
>
> ** Section 4.5.  Typo.  s/.A  A future/.  A future/
>
> ** Section 4.6. Typo.  s/links; The/links.  The/
>
> ** Section 5.1.  Typo.  s/Futhermore/Furthermore/
>
> ** Section 5.1.  Typo.  s/pricavy/privacy/
>
> ** Section 5.2. Typo.  s/admninistered/ administered/
>
> ** Appendix B.  s/Ammendment/Amendment/
>
> ** Appendix H.  Duplicate word. s/section Section 2/Section 2/
>
> ** Appendix I.  Typo.  s/specificed/specified/
>
> ** Appendix I. Typo.  s/Moreoever/Moreover/
>
>
>
>
> --
>
>
> Best Regards
>
>
>
> Nabil Benamar
>
> Associate Professor
>
> Department of Computer Sciences
>
> School of Technology
>
> Moulay Ismail University
>
> Meknes. Morocco
>
>
>
>
>

v2.23.0 | Report a Bug | By Email