Re: [Mip6] WGLC: draft-ietf-mip6-bootstrapping-split-01 - Comments
Francis Dupont <Francis.Dupont@enst-bretagne.fr> Thu, 01 December 2005 12:46 UTC
Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1Ehnpj-0003ez-D8; Thu, 01 Dec 2005 07:46:43 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1Ehnph-0003ed-GX for mip6@megatron.ietf.org; Thu, 01 Dec 2005 07:46:42 -0500
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA15538 for <mip6@ietf.org>; Thu, 1 Dec 2005 07:45:54 -0500 (EST)
Received: from laposte.rennes.enst-bretagne.fr ([192.44.77.17]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EhoAA-00042J-25 for mip6@ietf.org; Thu, 01 Dec 2005 08:07:51 -0500
Received: from givry.rennes.enst-bretagne.fr (givry.rennes.enst-bretagne.fr [193.52.74.194]) by laposte.rennes.enst-bretagne.fr (8.11.6p2/8.11.6/2003.04.01) with ESMTP id jB1CkAg21013; Thu, 1 Dec 2005 13:46:10 +0100
Received: from givry.rennes.enst-bretagne.fr (localhost.rennes.enst-bretagne.fr [127.0.0.1]) by givry.rennes.enst-bretagne.fr (8.13.1/8.13.1) with ESMTP id jB1Ck8FV041344; Thu, 1 Dec 2005 13:46:08 +0100 (CET) (envelope-from dupont@givry.rennes.enst-bretagne.fr)
Message-Id: <200512011246.jB1Ck8FV041344@givry.rennes.enst-bretagne.fr>
From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
To: Vijay Devarapalli <vijayd@iprg.nokia.com>
Subject: Re: [Mip6] WGLC: draft-ietf-mip6-bootstrapping-split-01 - Comments
In-reply-to: Your message of Wed, 30 Nov 2005 16:24:35 PST. <438E42C3.4060502@iprg.nokia.com>
Date: Thu, 01 Dec 2005 13:46:08 +0100
X-Virus-Scanned: by amavisd-milter (http://amavis.org/) at enst-bretagne.fr
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 21c69d3cfc2dd19218717dbe1d974352
Cc: Gerardo Giaretta <Gerardo.Giaretta@tilab.com>, mip6@ietf.org
X-BeenThere: mip6@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: mip6.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/mip6>, <mailto:mip6-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:mip6@ietf.org>
List-Help: <mailto:mip6-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/mip6>, <mailto:mip6-request@ietf.org?subject=subscribe>
Sender: mip6-bounces@ietf.org
Errors-To: mip6-bounces@ietf.org
In your previous mail you wrote:
> => IMHO an IKEv2 implementation should perform a proxy DAD when it
> allocates an address before returning it as it should provide
> a proxy NDP service (i.e., reply to NS by not-overriding NA).
> Both should be configurable with by default being on.
okay, but I dont think we should mandate the IKEv2 implementation
to do proxy DAD.
=> we (as the MIP6 WG) should not but we (as the IETF) should.
> the authorization check is required. cant be skipped.
>
> => show us where this authorization for the address is required
> or even mentioned in RFC 2136, PLEASE!
in the security considerations section we have the following.
=> this is fully irrelevant as this is *not* from the RFC 2136.
This
choice was motivated by a concern for preventing redirection-based
flooding attacks (see draft-ietf-mip6-ro-sec [19] for more
information about redirection-based flooding attacks and the role
preventing them played in the design of Mobile IPv6 route
optimization security). Exactly as for route optimization, it is
possible for a node that is the legitimate owner of a DNS FQDN -
in the sense that it has a security association with the DNS
server allowing it to perform dynamic DNS update of its FQDN - to
bind its FQDN to the address of a victim, then redirect large
volumes of traffic at the victim. The attack may be propagated
without the owner's knowledge, for example, if the node is
compromised by malware, or it may be intentional if the node
itself is the attacker.
if RFC 2136 ignored this, I cant help it.
=> the RFC 2136 ignored this and it is in its scope, not in the scope
of the MIP6 WG.
Regards
Francis.Dupont@enst-bretagne.fr
_______________________________________________
Mip6 mailing list
Mip6@ietf.org
https://www1.ietf.org/mailman/listinfo/mip6
- [Mip6] WGLC: draft-ietf-mip6-bootstrapping-split-… Narayanan Vidya-CVN065
- Re: [Mip6] WGLC: draft-ietf-mip6-bootstrapping-sp… Francis Dupont
- Re: [Mip6] WGLC: draft-ietf-mip6-bootstrapping-sp… Vijay Devarapalli
- Re: [Mip6] WGLC: draft-ietf-mip6-bootstrapping-sp… Francis Dupont
- Re: [Mip6] WGLC: draft-ietf-mip6-bootstrapping-sp… Vijay Devarapalli
- RE: [Mip6] WGLC: draft-ietf-mip6-bootstrapping-sp… Narayanan Vidya-CVN065
- RE: [Mip6] WGLC: draft-ietf-mip6-bootstrapping-sp… Gerardo Giaretta
- [Mip6] RE: WGLC: draft-ietf-mip6-bootstrapping-sp… Gerardo Giaretta
- Re: [Mip6] WGLC: draft-ietf-mip6-bootstrapping-sp… Francis Dupont
- Re: [Mip6] WGLC: draft-ietf-mip6-bootstrapping-sp… Vijay Devarapalli
- Re: [Mip6] WGLC: draft-ietf-mip6-bootstrapping-sp… Francis Dupont
- Re: [Mip6] WGLC: draft-ietf-mip6-bootstrapping-sp… Vidya Narayanan
- Re: [Mip6] WGLC: draft-ietf-mip6-bootstrapping-sp… Vidya Narayanan
- Re: [Mip6] WGLC: draft-ietf-mip6-bootstrapping-sp… Francis Dupont
- Re: [Mip6] WGLC: draft-ietf-mip6-bootstrapping-sp… Vidya Narayanan
- Re: [Mip6] WGLC: draft-ietf-mip6-bootstrapping-sp… Vijay Devarapalli
- Re: [Mip6] WGLC: draft-ietf-mip6-bootstrapping-sp… Vijay Devarapalli
- Re: [Mip6] WGLC: draft-ietf-mip6-bootstrapping-sp… Francis Dupont
- Re: [Mip6] WGLC: draft-ietf-mip6-bootstrapping-sp… Vijay Devarapalli
- Re: [Mip6] WGLC: draft-ietf-mip6-bootstrapping-sp… Francis Dupont
- Re: [Mip6] WGLC: draft-ietf-mip6-bootstrapping-sp… Francis Dupont
- Re: [Mip6] WGLC: draft-ietf-mip6-bootstrapping-sp… Vijay Devarapalli