Re: [manet] Stephen Farrell's No Objection on draft-ietf-manet-dlep-26: (with COMMENT)
Rick Taylor <rick@tropicalstormsoftware.com> Thu, 15 December 2016 15:40 UTC
Return-Path: <rick@tropicalstormsoftware.com>
X-Original-To: manet@ietfa.amsl.com
Delivered-To: manet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CE5412986F; Thu, 15 Dec 2016 07:40:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.797
X-Spam-Level:
X-Spam-Status: No, score=-4.797 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-2.896, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eJzxh3e7EfBb; Thu, 15 Dec 2016 07:40:54 -0800 (PST)
Received: from mail.tropicalstormsoftware.com (mail.tropicalstormsoftware.com [188.94.42.120]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A69C4129FA4; Thu, 15 Dec 2016 07:40:49 -0800 (PST)
Received: from tss-server1.home.tropicalstormsoftware.com ([fe80::753b:fa82:5c0:af0d]) by tss-server1.home.tropicalstormsoftware.com ([fe80::753b:fa82:5c0:af0d%10]) with mapi; Thu, 15 Dec 2016 15:40:16 +0000
From: Rick Taylor <rick@tropicalstormsoftware.com>
To: "stephen.farrell@cs.tcd.ie" <stephen.farrell@cs.tcd.ie>, "iesg@ietf.org" <iesg@ietf.org>
Thread-Topic: [manet] Stephen Farrell's No Objection on draft-ietf-manet-dlep-26: (with COMMENT)
Thread-Index: AQHSVuEV2xKR6DgxZUyi+iOOn4GycaEJHXsAgAACwYCAAAUrgA==
Date: Thu, 15 Dec 2016 15:40:37 +0000
Message-ID: <1481816437.2566.40.camel@tropicalstormsoftware.com>
References: <148181277830.27651.2048933448078334926.idtracker@ietfa.amsl.com> <1481814736.2566.27.camel@tropicalstormsoftware.com> <c3b489e0-205c-24e4-9f9f-8356113df680@cs.tcd.ie>
In-Reply-To: <c3b489e0-205c-24e4-9f9f-8356113df680@cs.tcd.ie>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="utf-8"
Content-ID: <64b2ba0e-189d-4d1d-9866-23c0bf11db00>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/manet/tlfT26cUSAG4HCcKGvt0dLHOCFY>
Cc: "manet@ietf.org" <manet@ietf.org>, "draft-ietf-manet-dlep@ietf.org" <draft-ietf-manet-dlep@ietf.org>, "manet-chairs@ietf.org" <manet-chairs@ietf.org>
Subject: Re: [manet] Stephen Farrell's No Objection on draft-ietf-manet-dlep-26: (with COMMENT)
X-BeenThere: manet@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Mobile Ad-hoc Networks <manet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/manet>, <mailto:manet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/manet/>
List-Post: <mailto:manet@ietf.org>
List-Help: <mailto:manet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/manet>, <mailto:manet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Dec 2016 15:40:58 -0000
On Thu, 2016-12-15 at 15:22 +0000, Stephen Farrell wrote: > Hiya, > > On 15/12/16 15:12, Rick Taylor wrote: > > > > Hi Stephen, > > > > Thanks for the comments, some answers inline... > > > > On Thu, 2016-12-15 at 06:39 -0800, Stephen Farrell wrote: > > > > > > Stephen Farrell has entered the following ballot position for > > > draft-ietf-manet-dlep-26: No Objection > > > > > > - 5.1: Is a modem supposed to ignore peer discovery > > > signals from routers with which the modem does not have a > > > TCP connection? > > Peer Discovery is a UDP-based mechanism that is designed to run > > before > > a TCP-based session is established, much like UPnP or mDNS. > Sure, but my question stands doesn't it? As written > a modem could decide to drop the current connection > or ignore the signal. Don't you need to say? Sorry Stephen, I misunderstood your question. If the modem supports multiple simultaneous DLEP sessions with different routers, then it may start another parallel DLEP session. If it doesn't then it probably shouldn't terminate any existing session, but that's an implementation decision. The bottom line is that we purposefully haven't addressed the multiple simultaneous sessions per DLEP peer issue in this draft, as it isn't clear to the WG how exactly it would work in a sensible way. However, text such as the paragraph above could be added to Section 5.1 if you think it aids clarity? > > > > > > > > > > > > > > - 10.7: This says: "If the modem is capable of > > > understanding and forwarding this information (via > > > mechanisms not defined by DLEP)," I don't get why that's > > > here, can you explain? If modem-modem comms is part of > > > DLEP deployments (even if not fully spec'd) then that does > > > change the security model. > > DLEP only defines the conversation between a local router/modem > > pair. > > How or what a modem sends over the air to another modem is > > intentionally out of scope. > That's why I don't get why the text sorta muddies the > waters with the above quoted text. > The purpose of that text was to explain to an implementer what was required by DLEP to make the whole address thing work, without telling the implementer how they had to do it (or secure it). > > > > > > > > > > > > > - 10.9 and elsewhere: none of these messages have anything > > > like a cookie. Why not? That'd help mitigate potential off > > > path attacks, where we currently depend solely on TTL=255 > > > (and TLS, which seems to not be some people's favourite;-) > > To be frank - we never considered a cookie as a security mechanism. > > Personally I considered an attacker capable of successfully > > injecting > > octets into an existing TCP stream would probably be able to hijack > > a > > cookie mechanism. > > > > However, I am not a security expert, and if this is a viable > > alternative to TLS (which is unpopular with implementers, and has > > open > > questions over certification) then it is definitely something that > > should be considered. > I'd need to think about the combination of 1-hop and offpath > but there may be cases where it's useful e.g. to stop someone > else on the same LAN from hijacking an existing session. > > Cookie mechanisms are not really an alternative to TLS though, > more a useful thing if one doesn't have TLS, if you see the > difference I mean. > I think cookies should be discussed, given that they haven't been yet. I think some of this is being discussed in the other thread in this list covering Alexey's discuss, so I will leave this alone. Cheers, Rick
- [manet] Stephen Farrell's No Objection on draft-i… Stephen Farrell
- Re: [manet] Stephen Farrell's No Objection on dra… Rick Taylor
- Re: [manet] Stephen Farrell's No Objection on dra… Stephen Farrell
- Re: [manet] Stephen Farrell's No Objection on dra… Rick Taylor