Re: [manet] Stephen Farrell's No Objection on draft-ietf-manet-dlep-26: (with COMMENT)
Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 15 December 2016 15:22 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: manet@ietfa.amsl.com
Delivered-To: manet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1780F1296CF; Thu, 15 Dec 2016 07:22:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.197
X-Spam-Level:
X-Spam-Status: No, score=-7.197 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-2.896, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Un4YgltcDaOm; Thu, 15 Dec 2016 07:22:18 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8AADB1296D2; Thu, 15 Dec 2016 07:22:12 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 80CF8BE74; Thu, 15 Dec 2016 15:22:09 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RjObnX3mhf-D; Thu, 15 Dec 2016 15:22:08 +0000 (GMT)
Received: from [10.87.48.210] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 7EB58BE51; Thu, 15 Dec 2016 15:22:07 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1481815328; bh=xATuA/J2n2hk3uYPFDiahN4Y7MQWt0qNCQQC30ovNFM=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=Vbfb9WgkAIEy4k9VqLX96IuruZXho4xF5t5I1S6LLvUgVAFwOV8PiAS0Xf/JiRLJD BqTmZBCHIUQ6IPHRR3kuUXZdLuycXtEVD6sGaVbIOnUtGz/KwFrrPDkoeYXWuwuYIu 8aMcXqLKliykAPlXyN9tTlokE8kQLs21Zrst9Os8=
To: Rick Taylor <rick@tropicalstormsoftware.com>, "iesg@ietf.org" <iesg@ietf.org>
References: <148181277830.27651.2048933448078334926.idtracker@ietfa.amsl.com> <1481814736.2566.27.camel@tropicalstormsoftware.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <c3b489e0-205c-24e4-9f9f-8356113df680@cs.tcd.ie>
Date: Thu, 15 Dec 2016 15:22:07 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1
MIME-Version: 1.0
In-Reply-To: <1481814736.2566.27.camel@tropicalstormsoftware.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms070507030301040800000807"
Archived-At: <https://mailarchive.ietf.org/arch/msg/manet/hYPkMI1ttzXIp06BrmP3eUCS2Ec>
Cc: "manet@ietf.org" <manet@ietf.org>, "draft-ietf-manet-dlep@ietf.org" <draft-ietf-manet-dlep@ietf.org>, "manet-chairs@ietf.org" <manet-chairs@ietf.org>
Subject: Re: [manet] Stephen Farrell's No Objection on draft-ietf-manet-dlep-26: (with COMMENT)
X-BeenThere: manet@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Mobile Ad-hoc Networks <manet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/manet>, <mailto:manet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/manet/>
List-Post: <mailto:manet@ietf.org>
List-Help: <mailto:manet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/manet>, <mailto:manet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Dec 2016 15:22:22 -0000
Hiya, On 15/12/16 15:12, Rick Taylor wrote: > Hi Stephen, > > Thanks for the comments, some answers inline... > > On Thu, 2016-12-15 at 06:39 -0800, Stephen Farrell wrote: >> Stephen Farrell has entered the following ballot position for >> draft-ietf-manet-dlep-26: No Objection >> >> - 5.1: Is a modem supposed to ignore peer discovery >> signals from routers with which the modem does not have a >> TCP connection? > > Peer Discovery is a UDP-based mechanism that is designed to run before > a TCP-based session is established, much like UPnP or mDNS. Sure, but my question stands doesn't it? As written a modem could decide to drop the current connection or ignore the signal. Don't you need to say? > >> >> - 10.7: This says: "If the modem is capable of >> understanding and forwarding this information (via >> mechanisms not defined by DLEP)," I don't get why that's >> here, can you explain? If modem-modem comms is part of >> DLEP deployments (even if not fully spec'd) then that does >> change the security model. > > DLEP only defines the conversation between a local router/modem pair. > How or what a modem sends over the air to another modem is > intentionally out of scope. That's why I don't get why the text sorta muddies the waters with the above quoted text. > >> >> - 10.9 and elsewhere: none of these messages have anything >> like a cookie. Why not? That'd help mitigate potential off >> path attacks, where we currently depend solely on TTL=255 >> (and TLS, which seems to not be some people's favourite;-) > > To be frank - we never considered a cookie as a security mechanism. > Personally I considered an attacker capable of successfully injecting > octets into an existing TCP stream would probably be able to hijack a > cookie mechanism. > > However, I am not a security expert, and if this is a viable > alternative to TLS (which is unpopular with implementers, and has open > questions over certification) then it is definitely something that > should be considered. I'd need to think about the combination of 1-hop and offpath but there may be cases where it's useful e.g. to stop someone else on the same LAN from hijacking an existing session. Cookie mechanisms are not really an alternative to TLS though, more a useful thing if one doesn't have TLS, if you see the difference I mean. Cheers, S. > >> >> - 11.8/9: are there any special addresses that MUST NOT >> occur here? E.g. ::1, 127.0.0.10? What about the addresses >> IANA allocates for you from 13.14/15? > > From a DLEP perspective, no destination address or subnet is > prohibitted. Obviously a user can configure their network stupidly and > then it wont work, but from a functional perspective, DLEP doesn't > care. And it doesn't add any further restriction on addresses beyond > the regular IPv4/6 rules. > >> >> - 11.10/11: what does prefix=0 mean? > > Prefix 0 was left in to allow announcement of a default route. > >> >> - I agree with Alexey's DISCUSS#3, the TLS stuff needs >> more work to be usable. Maybe recommend PSK? > > None of the authors are self-confessed security experts, and we do need > advice here. > > Thanks, > > Rick >
- [manet] Stephen Farrell's No Objection on draft-i… Stephen Farrell
- Re: [manet] Stephen Farrell's No Objection on dra… Rick Taylor
- Re: [manet] Stephen Farrell's No Objection on dra… Stephen Farrell
- Re: [manet] Stephen Farrell's No Objection on dra… Rick Taylor