[Last-Call] Opsdir telechat review of draft-ietf-anima-constrained-join-proxy-10
Jürgen Schönwälder via Datatracker <noreply@ietf.org> Mon, 13 June 2022 10:43 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: last-call@ietf.org
Delivered-To: last-call@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 5556EC15948D; Mon, 13 Jun 2022 03:43:21 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Jürgen Schönwälder via Datatracker <noreply@ietf.org>
To: ops-dir@ietf.org
Cc: anima@ietf.org, draft-ietf-anima-constrained-join-proxy.all@ietf.org, last-call@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 8.3.1
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <165511700134.52257.16347015184784617646@ietfa.amsl.com>
Reply-To: Jürgen Schönwälder <j.schoenwaelder@jacobs-university.de>
Date: Mon, 13 Jun 2022 03:43:21 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/WTHP7bI_KURW0VoDq8lTsfYK1gc>
Subject: [Last-Call] Opsdir telechat review of draft-ietf-anima-constrained-join-proxy-10
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.39
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jun 2022 10:43:21 -0000
Reviewer: Jürgen Schönwälder
Review result: Has Issues
Thanks for considering my comments.
I am still struggling with the fact that the constrained Join
Proxy does allow attackers to send packets to arbitrary link-local
endpoints. The new security considerations text gives this advice:
If such scenario needs to be avoided, the constrained Join Proxy MUST
encrypt the CBOR array using a locally generated symmetric key. The
Registrar is not able to examine the encrypted result, but does not
need to. The Registrar stores the encrypted header in the return
packet without modifications. The constrained Join Proxy can decrypt
the contents to route the message to the right destination.
The usage of MUST surely looks promising, but then protection
against this kind of attacks still is entirely optional ("if such
scenario needs to be avoided"). This relates to the other main
concern I had, namely that it is not particularly clear what is
required to be implemented as an interoperable baseline so that
at deployment time appropriate decisions can be taken.
- [Last-Call] Opsdir telechat review of draft-ietf-… Jürgen Schönwälder via Datatracker
- Re: [Last-Call] Opsdir telechat review of draft-i… Michael Richardson
- Re: [Last-Call] Opsdir telechat review of draft-i… Jürgen Schönwälder
- Re: [Last-Call] Opsdir telechat review of draft-i… Michael Richardson
- Re: [Last-Call] [OPS-DIR] Opsdir telechat review … Jürgen Schönwälder
- Re: [Last-Call] [OPS-DIR] Opsdir telechat review … Michael Richardson