Re: [manet] Stephen Farrell's No Objection on draft-ietf-manet-dlep-26: (with COMMENT)
Rick Taylor <rick@tropicalstormsoftware.com> Thu, 15 December 2016 15:12 UTC
Return-Path: <rick@tropicalstormsoftware.com>
X-Original-To: manet@ietfa.amsl.com
Delivered-To: manet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B137128824; Thu, 15 Dec 2016 07:12:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.797
X-Spam-Level:
X-Spam-Status: No, score=-4.797 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-2.896, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZpyssmXFsvg1; Thu, 15 Dec 2016 07:12:43 -0800 (PST)
Received: from mail.tropicalstormsoftware.com (mail.tropicalstormsoftware.com [188.94.42.120]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 483C61296BA; Thu, 15 Dec 2016 07:12:42 -0800 (PST)
Received: from tss-server1.home.tropicalstormsoftware.com ([fe80::753b:fa82:5c0:af0d]) by tss-server1.home.tropicalstormsoftware.com ([fe80::753b:fa82:5c0:af0d%10]) with mapi; Thu, 15 Dec 2016 15:11:58 +0000
From: Rick Taylor <rick@tropicalstormsoftware.com>
To: "stephen.farrell@cs.tcd.ie" <stephen.farrell@cs.tcd.ie>, "iesg@ietf.org" <iesg@ietf.org>
Thread-Topic: [manet] Stephen Farrell's No Objection on draft-ietf-manet-dlep-26: (with COMMENT)
Thread-Index: AQHSVuEV2xKR6DgxZUyi+iOOn4GycaEJHXsA
Date: Thu, 15 Dec 2016 15:12:16 +0000
Message-ID: <1481814736.2566.27.camel@tropicalstormsoftware.com>
References: <148181277830.27651.2048933448078334926.idtracker@ietfa.amsl.com>
In-Reply-To: <148181277830.27651.2048933448078334926.idtracker@ietfa.amsl.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="utf-8"
Content-ID: <f1b3fae1-7704-4707-b755-35ef4dce51eb>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/manet/Kx_Lvz_Wo-I-F747crgllQzMtz0>
Cc: "manet@ietf.org" <manet@ietf.org>, "draft-ietf-manet-dlep@ietf.org" <draft-ietf-manet-dlep@ietf.org>, "manet-chairs@ietf.org" <manet-chairs@ietf.org>
Subject: Re: [manet] Stephen Farrell's No Objection on draft-ietf-manet-dlep-26: (with COMMENT)
X-BeenThere: manet@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Mobile Ad-hoc Networks <manet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/manet>, <mailto:manet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/manet/>
List-Post: <mailto:manet@ietf.org>
List-Help: <mailto:manet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/manet>, <mailto:manet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Dec 2016 15:12:44 -0000
Hi Stephen, Thanks for the comments, some answers inline... On Thu, 2016-12-15 at 06:39 -0800, Stephen Farrell wrote: > Stephen Farrell has entered the following ballot position for > draft-ietf-manet-dlep-26: No Objection > > - 5.1: Is a modem supposed to ignore peer discovery > signals from routers with which the modem does not have a > TCP connection? Peer Discovery is a UDP-based mechanism that is designed to run before a TCP-based session is established, much like UPnP or mDNS. > > - 10.7: This says: "If the modem is capable of > understanding and forwarding this information (via > mechanisms not defined by DLEP)," I don't get why that's > here, can you explain? If modem-modem comms is part of > DLEP deployments (even if not fully spec'd) then that does > change the security model. DLEP only defines the conversation between a local router/modem pair. How or what a modem sends over the air to another modem is intentionally out of scope. > > - 10.9 and elsewhere: none of these messages have anything > like a cookie. Why not? That'd help mitigate potential off > path attacks, where we currently depend solely on TTL=255 > (and TLS, which seems to not be some people's favourite;-) To be frank - we never considered a cookie as a security mechanism. Personally I considered an attacker capable of successfully injecting octets into an existing TCP stream would probably be able to hijack a cookie mechanism. However, I am not a security expert, and if this is a viable alternative to TLS (which is unpopular with implementers, and has open questions over certification) then it is definitely something that should be considered. > > - 11.8/9: are there any special addresses that MUST NOT > occur here? E.g. ::1, 127.0.0.10? What about the addresses > IANA allocates for you from 13.14/15? From a DLEP perspective, no destination address or subnet is prohibitted. Obviously a user can configure their network stupidly and then it wont work, but from a functional perspective, DLEP doesn't care. And it doesn't add any further restriction on addresses beyond the regular IPv4/6 rules. > > - 11.10/11: what does prefix=0 mean? Prefix 0 was left in to allow announcement of a default route. > > - I agree with Alexey's DISCUSS#3, the TLS stuff needs > more work to be usable. Maybe recommend PSK? None of the authors are self-confessed security experts, and we do need advice here. Thanks, Rick
- [manet] Stephen Farrell's No Objection on draft-i… Stephen Farrell
- Re: [manet] Stephen Farrell's No Objection on dra… Rick Taylor
- Re: [manet] Stephen Farrell's No Objection on dra… Stephen Farrell
- Re: [manet] Stephen Farrell's No Objection on dra… Rick Taylor