IETF Logo Mail Archive

[MEXT] Review of I-D draft-korhonen-mext-mip6-altsec-06

"Jan Zorz @ go6.si" <jan@go6.si> Thu, 20 January 2011 08:31 UTC

Return-Path: <jan@go6.si>
X-Original-To: mext@core3.amsl.com
Delivered-To: mext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C99813A70AF for <mext@core3.amsl.com>; Thu, 20 Jan 2011 00:31:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zdj7AEHnxsej for <mext@core3.amsl.com>; Thu, 20 Jan 2011 00:31:37 -0800 (PST)
Received: from ipv6.go6.si (go6.si [212.44.108.1]) by core3.amsl.com (Postfix) with ESMTP id 239E53A6E7E for <mext@ietf.org>; Thu, 20 Jan 2011 00:31:37 -0800 (PST)
Received: from jan-mac.local (unknown [IPv6:2001:470:d422:1:1293:e9ff:fe07:182c]) (Authenticated sender: jan) by ipv6.go6.si (Postfix) with ESMTP id F209A2378033 for <mext@ietf.org>; Thu, 20 Jan 2011 09:34:14 +0100 (CET)
Message-ID: <4D37F38A.4080602@go6.si>
Date: Thu, 20 Jan 2011 09:34:18 +0100
From: "Jan Zorz @ go6.si" <jan@go6.si>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101207 Lightning/1.0b2 Thunderbird/3.1.7
MIME-Version: 1.0
To: mext@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: [MEXT] Review of I-D draft-korhonen-mext-mip6-altsec-06
X-BeenThere: mext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Mobile IPv6 EXTensions WG <mext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mext>
List-Post: <mailto:mext@ietf.org>
List-Help: <mailto:mext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jan 2011 08:31:42 -0000

Hi,

It took me quite long to write this review, but finally, here it is :)

Review comments:

In general the proposal of using an alternative to IPsec and IKEv2
seems quite okay. The main purpose of Mobile IPv6 is to enable
mobility at the IP layer and hence using TLS which is much more widely
implemented and deployed for use to secure the signaling is good.

More specific comments:

- The proposal introduces a new element called HAC. In terms of
   deployments such a network element may become central for
   bootstrapping Mobile IPv6. The I-D states that the HAC could be
   co-located with the HA. In reality, the HAC should be a standalone
   entity which interacts with AAA and policy engines in a network.

- TLS is widely used for security in the Internet today. Hence the use
   of TLS does not weaken mobile IPv6 security. TLS is also used only
   for bootstrapping and not for securing the signaling or traffic.

- Describe the steps in figure 1.

- The security association scope says that it describes whether the SA
   is only for signaling or for data as well. Would be useful to make
   it more explicit.

- Route optimization is an important feature of Mobile IPv6. Hence
   this alternate security solution should explain how the route
   optimization signaling messages are secured.

- Unclear why HTTP headers (Sec 8.2) are being reserved. Could not
   really understand the purpose.

- Message details are fairly complete and hence should be
   implementable.

In summary, the draft is well written and complete and should be
considered for standardization.

I'm using DSMIP6-TLS implementations on N900 phone and Ubuntu Linux 
laptop in everyday life and it seems to work quite well. There are still 
some implementation issues that needs to be fixed, but overall feeling 
is very satisfactory.

Regards, Jan Zorz
go6.si

v2.23.0 | Report a Bug | By Email