Re: [Mip4] WGLC Comments: draft-ietf-mip4-mobike-connectivity-01.txt
Vijay Devarapalli <vijay.devarapalli@azairenet.com> Fri, 15 December 2006 07:40 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gv7gg-00081b-H7; Fri, 15 Dec 2006 02:40:58 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gv7gf-00081S-MU for mip4@ietf.org; Fri, 15 Dec 2006 02:40:57 -0500
Received: from mail2.azairenet.com ([66.92.223.6]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Gv7ge-0005SC-Bz for mip4@ietf.org; Fri, 15 Dec 2006 02:40:57 -0500
Received: from [127.0.0.1] ([66.92.223.6]) by mail2.azairenet.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.1830); Thu, 14 Dec 2006 23:40:55 -0800
Message-ID: <45825186.1060908@azairenet.com>
Date: Thu, 14 Dec 2006 23:40:54 -0800
From: Vijay Devarapalli <vijay.devarapalli@azairenet.com>
User-Agent: Thunderbird 1.5.0.8 (Windows/20061025)
MIME-Version: 1.0
To: Sami Vaarala <sami.vaarala@iki.fi>
Subject: Re: [Mip4] WGLC Comments: draft-ietf-mip4-mobike-connectivity-01.txt
References: <C24CB51D5AA800449982D9BCB903251335E9FB@NAEX13.na.qualcomm.com> <4581E938.6080400@levkowetz.com> <4581EBE9.6010607@azairenet.com> <45823A04.4020800@iki.fi> <458245F4.7030905@azairenet.com> <45824C9B.7070905@iki.fi>
In-Reply-To: <45824C9B.7070905@iki.fi>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 15 Dec 2006 07:40:55.0602 (UTC) FILETIME=[5AB03920:01C7201C]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: d8ae4fd88fcaf47c1a71c804d04f413d
Cc: "Narayanan, Vidya" <vidyan@qualcomm.com>, Mobile IPv4 Mailing List <mip4@ietf.org>, Henrik Levkowetz <henrik@levkowetz.com>
X-BeenThere: mip4@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Mobility for IPv4 <mip4.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:mip4@ietf.org>
List-Help: <mailto:mip4-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=subscribe>
Errors-To: mip4-bounces@ietf.org
Sami Vaarala wrote: > Vijay Devarapalli wrote: >> Sami Vaarala wrote: >>> Vijay Devarapalli wrote: >>>> Henrik Levkowetz wrote: >>>> >>>>>> Also, I think it is worth mentioning that enterprise IP addresses >>>>>> may be >>>>>> visible on untrusted networks, due to transmission of the RRQ, while >>>>>> bypassing the VPN - the i-HA IP address will be available in the >>>>>> clear. >>>>> >>>>> New topic here. The observation seems to be correct. I'll leave >>>>> it up to >>>>> the authors whether they want to comment further on this. >>>> >>>> We could add the following text in the Security >>>> Considerations section. >>>> >>>> When the mobile node sends a registration request to the i-HA >>>> from an >>>> untrusted network that does not go through the IPsec tunnel, it may >>>> be leaking the i-HA's address and its own home address to the >>>> untrusted network. This may be a concern in some deployments. >>> >>> I can live with that, though I think the potential concern is a bit >>> wider. >>> How about this: >>> >>> When the mobile node sends a registration request to the i-HA >>> from an >>> untrusted network that does not go through the IPsec tunnel, the >>> request >>> leaks some information possibly useful for an attacker. In >>> particular, >>> the request reveals the i-HA address (and other address >>> information), >>> the user's NAI (if present), and may provide data which allows an >>> off-line brute-force attack on the MN-HA authentication key. >>> >>> I guess an underlying assumption here has been that the i-MIP setup >>> is not >>> considered to be confidential. Some users may be uncomfortable with >>> their >>> username (NAI) being revealed. >> >> None of these registration requests from the untrusted >> network including the registration request from the >> mobile node make to the i-HA. They are all dropped at >> the Enterprise firewall. > > When the MN visits an untrusted network and attempts to send an RRQ to > the i-HA, the RRQ is visible potentially to anyone, including any > attackers. The RRQ has an authenticator (which may be, for instance, > HMAC-based). Given the full RRQ packet, a brute force attack on the > HMAC key can be launched; this is an off-line attack because all you > need is the RRQ and you can begin churning away on possible HMAC keys, > the MN-HA authentication data will give you the correct answer for > comparison. This attack doesn't involve the i-HA in any way, all you > need is the RRQ packet. RFC 3344 is susceptible to this attack. Vijay > >> BTW, this text needs to be added to >> draft-ietf-mip4-vpn-problem-solution too. > > Yup, already added. > > BR, > > -Sami -- Mip4 mailing list: Mip4@ietf.org Web interface: https://www1.ietf.org/mailman/listinfo/mip4 Charter page: http://www.ietf.org/html.charters/mip4-charter.html Supplemental site: http://www.mip4.org/
- [Mip4] WGLC Comments: draft-ietf-mip4-mobike-conn… Narayanan, Vidya
- Re: [Mip4] WGLC Comments: draft-ietf-mip4-mobike-… Henrik Levkowetz
- RE: [Mip4] WGLC Comments: draft-ietf-mip4-mobike-… Narayanan, Vidya
- Re: [Mip4] WGLC Comments: draft-ietf-mip4-mobike-… Henrik Levkowetz
- RE: [Mip4] WGLC Comments: draft-ietf-mip4-mobike-… Narayanan, Vidya
- Re: [Mip4] WGLC Comments: draft-ietf-mip4-mobike-… Henrik Levkowetz
- RE: [Mip4] WGLC Comments: draft-ietf-mip4-mobike-… Narayanan, Vidya
- Re: [Mip4] WGLC Comments: draft-ietf-mip4-mobike-… Jouni Korhonen
- Re: [Mip4] WGLC Comments: draft-ietf-mip4-mobike-… Henrik Levkowetz
- RE: [Mip4] WGLC Comments: draft-ietf-mip4-mobike-… Narayanan, Vidya
- RE: [Mip4] WGLC Comments: draft-ietf-mip4-mobike-… Narayanan, Vidya
- Re: [Mip4] WGLC Comments: draft-ietf-mip4-mobike-… Henrik Levkowetz
- Re: [Mip4] WGLC Comments: draft-ietf-mip4-mobike-… Vijay Devarapalli
- Re: [Mip4] WGLC Comments: draft-ietf-mip4-mobike-… Vijay Devarapalli
- RE: [Mip4] WGLC Comments: draft-ietf-mip4-mobike-… Narayanan, Vidya
- Re: [Mip4] WGLC Comments: draft-ietf-mip4-mobike-… Vijay Devarapalli
- RE: [Mip4] WGLC Comments: draft-ietf-mip4-mobike-… Narayanan, Vidya
- RE: [Mip4] WGLC Comments: draft-ietf-mip4-mobike-… Vijay Devarapalli
- Re: [Mip4] WGLC Comments: draft-ietf-mip4-mobike-… Henrik Levkowetz
- RE: [Mip4] WGLC Comments: draft-ietf-mip4-mobike-… Narayanan, Vidya
- Re: [Mip4] WGLC Comments: draft-ietf-mip4-mobike-… Henrik Levkowetz
- RE: [Mip4] WGLC Comments: draft-ietf-mip4-mobike-… Narayanan, Vidya
- Re: [Mip4] WGLC Comments: draft-ietf-mip4-mobike-… Henrik Levkowetz
- Re: [Mip4] WGLC Comments: draft-ietf-mip4-mobike-… Vijay Devarapalli
- Re: [Mip4] WGLC Comments: draft-ietf-mip4-mobike-… Henrik Levkowetz
- RE: [Mip4] WGLC Comments: draft-ietf-mip4-mobike-… Narayanan, Vidya
- Re: [Mip4] WGLC Comments: draft-ietf-mip4-mobike-… Sami Vaarala
- Re: [Mip4] WGLC Comments: draft-ietf-mip4-mobike-… Vijay Devarapalli
- Re: [Mip4] WGLC Comments: draft-ietf-mip4-mobike-… Sami Vaarala
- Re: [Mip4] WGLC Comments: draft-ietf-mip4-mobike-… Vijay Devarapalli
- Re: [Mip4] WGLC Comments: draft-ietf-mip4-mobike-… Sami Vaarala
- RE: [Mip4] WGLC Comments: draft-ietf-mip4-mobike-… Narayanan, Vidya
- Re: [Mip4] WGLC Comments: draft-ietf-mip4-mobike-… Vijay Devarapalli
- RE: [Mip4] WGLC Comments: draft-ietf-mip4-mobike-… Narayanan, Vidya
- Re: [Mip4] WGLC Comments: draft-ietf-mip4-mobike-… Sami Vaarala
- Re: [Mip4] WGLC Comments: draft-ietf-mip4-mobike-… Vijay Devarapalli
- Re: [Mip4] WGLC Comments: draft-ietf-mip4-mobike-… Sami Vaarala
- Re: [Mip4] WGLC Comments: draft-ietf-mip4-mobike-… Vijay Devarapalli