IETF Logo Mail Archive

[Mip6] Comments on draft-ietf-mip6-mn-ident-option-00.txt

Jari Arkko <jari.arkko@kolumbus.fi> Sat, 18 December 2004 19:52 UTC

Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA14341 for <mip6-web-archive@ietf.org>; Sat, 18 Dec 2004 14:52:13 -0500 (EST)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1Cfklb-0002hk-Ne for mip6-web-archive@ietf.org; Sat, 18 Dec 2004 15:01:27 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1Cfkac-0002xk-LK; Sat, 18 Dec 2004 14:50:06 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CfkYm-0002NB-Er for mip6@megatron.ietf.org; Sat, 18 Dec 2004 14:48:12 -0500
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA14043 for <mip6@ietf.org>; Sat, 18 Dec 2004 14:48:10 -0500 (EST)
Received: from p130.piuha.net ([193.234.218.130]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1Cfkhg-0002aW-43 for mip6@ietf.org; Sat, 18 Dec 2004 14:57:24 -0500
Received: from kolumbus.fi (p130.piuha.net [193.234.218.130]) by p130.piuha.net (Postfix) with ESMTP id 4C4D3898A6 for <mip6@ietf.org>; Sat, 18 Dec 2004 21:47:39 +0200 (EET)
Message-ID: <41C48949.9080005@kolumbus.fi>
Date: Sat, 18 Dec 2004 21:47:21 +0200
From: Jari Arkko <jari.arkko@kolumbus.fi>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7b) Gecko/20040316
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: mip6@ietf.org
References: <697DAA22C5004B4596E033803A7CEF4403B1C2D5@daebe007.americas.nokia.com>
In-Reply-To: <697DAA22C5004B4596E033803A7CEF4403B1C2D5@daebe007.americas.nokia.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 8fbbaa16f9fd29df280814cb95ae2290
Content-Transfer-Encoding: 7bit
Subject: [Mip6] Comments on draft-ietf-mip6-mn-ident-option-00.txt
X-BeenThere: mip6@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: mip6.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/mip6>, <mailto:mip6-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:mip6@ietf.org>
List-Help: <mailto:mip6-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/mip6>, <mailto:mip6-request@ietf.org?subject=subscribe>
Sender: mip6-bounces@ietf.org
Errors-To: mip6-bounces@ietf.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 7da5a831c477fb6ef97f379a05fb683c
Content-Transfer-Encoding: 7bit

I have reviewed this document. Here are my comments:

Substantial:

> [RFC2486]  Aboba, B. and M. Beadles, "The Network Access Identifier", RFC 2486, January 1999.

It may be appropriate to refer to draft-ietf-radext-rfc2486bis-03.txt
instead. This document is in IETF LC at the moment, which means that
its in front of the ident-option draft; reference delay should not
be a problem. One good reason for switching to the bis reference
is that the ABNF in the original RFC had a number of problems.

> If this option is present in the Binding Update, it MUST be included in the corresponding reply (Binding Acknowledgement).

Hmm... why? Does not seem to be grounds for a MUST. But I wonder
why you need it in the first place.

> 5.  IANA Considerations

This one is missing the text about the subtype registry.
Here's a suggestion:

    In addition, the IANA needs to create a new namespace for
    the subtype field of the Mobile Node Identifier Option.
    The currently allocated values are as follows:

        NAI (defined in this document)      [1]

    New values for this namespace can be allocated using
    Standards Action [RFC 2434].

> it MUST be present in all subsequent Binding Updates
> used to renew the binding cache entry.

Is this really necessary? Presumably you could store
the identifier in the BCE. This would also provide
some privacy benefits, see also below.

> 4.  Security Considerations
> 
>     None.  This document defines new identifiers for a mobile node and
>     does not introduce new security threats.

I don't think this covers it completely. Here's some suggested
text that deals with a few issues:

    Mobile IPv6 already contains one mechanism for identifying
    mobile nodes, the Home Address Option [RFC 3775]. As a result,
    the vulnerabilities of the new option defined in this document
    are similar to those that already exist for Mobile IPv6. In
    particular, the use of a permanent, stable identifier may
    compromise the privacy of the user, making it possible to
    track a particular device or user as it moves through
    different locations.

    In addition, since an NAI reveals the home affiliation
    of a user, it may assist an attacker in determining the
    identity of the user, help the attacker in targeting
    specific victims, or assist in further probing of
    the username space.

    These vulnerabilities can be addressed through various
    mechanisms, such as those discussed below:

    o  Encrypting traffic at link layer such that other
       users on the same link do not see the identifiers.
       This mechanism does not help against attackers on
       the rest of the path between the mobile node and
       its home agent.

    o  Encrypting the whole packet, such as when using
       IPsec to protect the communications with the home
       agent [RFC 3776].

    o  Using an authentication mechanism that enables the
       use of privacy NAIs [RFC2486bis] or temporary,
       changing "pseudonyms" as identifiers.

    In any case, it should be noted that as the identifier
    option is only needed on the first registration at the
    home agent and subsequent registrations can use the
    home address, the window of privacy vulnerability in
    this document is reduced as compared to the RFC 3775.
    In addition, this document is a part of a solution to
    allow dynamic home addresses to be used. This is
    an improvement to privacy as well, and affects both
    communications with the home agent and the correspondent
    nodes, both of which have to be told the home address.

> The MN-NAI mobility option uses an identifier of the form user@realm
> [RFC2486].

Perhaps you could indicate whether you allow the use of
the privacy, internationalization, or bang syntaxes from
RFC2486bis.

Editorial:

> Alignment requirements:
> 
> This option does not have any alignment requirements.

This looks like a field description. Change to:

> This option does not have any alignment requirements.

(That is, indent as regular text and delete the heading.)

> Title: MN Identifier Option for Mobile IPv6

Change to "Mobile Node Identifier Option for Mobile IPv6".

> 3.  MN Identifier option 3.1  MN-NAI mobility option

I guess I'm confused here. You are defining just one
Mobile IPv6 option. I think its name should be the "Mobile
Node Identifier Option". If you want to have a subsection 3.1
to talk about the case when the type of identifier is a NAI,
that's fine. But the current 3.1. sounds like you were defining
another option.

> authentication enabling extension

Change to "authentication related extension"

> IANA should record value for this new Mobility Option.

... should record *a* value ...

--Jari

_______________________________________________
Mip6 mailing list
Mip6@ietf.org
https://www1.ietf.org/mailman/listinfo/mip6

v2.23.0 | Report a Bug | By Email