Re: [MIPSHOP-MIH-DT] draft-melia-mipshop-mstp-solution-01a.txt

Gabor,
Thanks. I will update it if not done by Tele already.

-Subir

Gabor.Bajko@nokia.com wrote:
> Tele, Subir,
>
> Please note that  [I-D.ietf-dnsop-dnssec-operational-practices] is
> RFC4641, so please refer to this RFC number instead. And add the RFC to
> the informative references section.
>
> - gabor
>
> -----Original Message-----
> From: ext Subir Das [mailto:subir@research.telcordia.com] 
> Sent: Tuesday, November 13, 2007 3:03 PM
> To: Telemaco Melia
> Cc: mipshop-mih-dt@ietf.org
> Subject: Re: [MIPSHOP-MIH-DT] draft-melia-mipshop-mstp-solution-01a.txt
>
> Tele,
> Here is the updated Security section that is fine with Yoshi. However,
> he suggests to add the capability to know the security protocol of
> choice at the server side during discovery. I discussed with Gabor and
> he will look into this and find if it can be done by defining a new
> NAPTR, otherwise I will discuss with Yoshi again and update to you.
>
> 8.  Security Considerations
>
>    There are a number of security issues that need to be taken into
>    account during node discovery and information exchange via a
>    transport connection [I-D.ietf-mipshop-mis-ps].
>
>    In case where DHCP is used for node discovery and authentication of
>    the source and content of DHCP messages are required, it is
> recommended
>    to use either DHCP authentication option described in [RFC3118],
> where
>    available or rely upon link layer security.  This will also protect
> the
>    denial of service attacks to DHCP server.[RFC3118] provides
> mechanisms
>    for both entity authentication and message authentication.
>
>    In case where DNS is used for discovering MoS, fake DNS requests and
>    responses may cause DoS and the inability of the MN to perform a
>    proper handover, respectively.  Where networks are exposed to such
>    DoS, it is recommended that DNS service providers use the Domain Name
>    System Security Extensions (DNSSEC) as described in [RFC4033].
>    Readers may also refer to
>    [I-D.ietf-dnsop-dnssec-operational-practices] to consider the aspects
>    of DNSSEC Operational Practices.
>
>    In case where reliable transport protocol such as TCP is used for
>    transport connection between two MIHF peers, TLS [RFC4346] should be
>    used for message confidentiality and data integrity.  In particular,
>    TLS is designed for client/server applications and to prevent
>    eavesdropping, tampering, or message forgery.  Readers should also
>    follow the recommendations in [RFC4366] that provides generic
>    extension mechanisms for the TLS protocol suitable for wireless
>    environments.
>
>    In case where unreliable transport protocol such as UDP is used for
>    transport connection between two MIHF peers, DTLS [RFC4347] should be
>    used for message confidentiality and data integrity.  The DTLS
>    protocol is based on the Transport Layer Security (TLS) protocol and
>    provides equivalent security guarantees.
>
>    Alternatively, generic IP layer security, such as IPSec [RFC2401] may
>    be used where neither transport layer security for a specific
> transport
>    is available nor server only authentication is required
>
>   
>
>
>
> Telemaco Melia wrote:
>   
>> Guys,
>> file:///C:/Documents%20and%20Settings/subir/Desktop/GDQ%20Corporate%20
>> Directory.lnk <cid:part1.00010001.04030101@research.telcordia.com>
>> I started the editorial work considering the APs agreed last AC.
>> I summarize in the following the list of issues and mark them as 
>> solved/open.
>> I ll be in the office still for a while. Let me know if you wan the 
>> xml to directly edit the text.
>>
>>
>> - Do not mandate anything to .21 on the use of MIHFIDs: SOLVED The 
>> text has been removed accordingly
>>
>> - mandate both TCP/UDP server side and leave it optional for MN" 
>> SOLVED Text has been added at the end of section 6.
>> - Gabor to update the DNS draft to reflect previous point: OPEN
>>
>> - Gabor to revise section 5: OPEN
>> Text has been proposed and the section adjusted. Still work needed.
>>
>> - Gabor to update DHCP option draft for scenario 3: OPEN I added the 
>> reference to the draft the integrated bootstrapping ID refers to 
>> (draft-ietf-mip6-hiopt-08.txt) I think the DHCP option document should
>>     
>
>   
>> contain something similar.
>>
>> - me/Subir to suggest AAA extensions based on
>> draft-ietf-dime-mip6-integrated-06.txt: OPEN I did not touch this yet.
>>     
>
>   
>> We can simply refer to it for the time being.
>>
>> - Subir to revise the flow example: SOLVED
>>
>> - Nada to revise the terminology section: SOLVED I already integrated 
>> the text David proposed.
>>
>> - Subir to propose some text for L2 security for DHCP: OPEN
>>
>> - Subir to propose text discussing the issue when DHCP authentication 
>> is not available: OPEN
>>
>> - Subit to clarify with Yoshi about DTLS/TLS: OPEN
>>
>> - Tele to expand section 5.3: OPEN
>>
>> - Tele to add text that scenario 5.4 only holds for IS: OPEN
>>
>> - No need to change MoS to PoS: SOLVED
>>
>> - Nada to check with David for additional flows: OPEN
>>
>>
>>
>>
>> Tele
>>
>>
>> ----------------------------------------------------------------------
>> --
>>
>> _______________________________________________
>> MIPSHOP-MIH-DT mailing list
>> MIPSHOP-MIH-DT@ietf.org
>> https://www1.ietf.org/mailman/listinfo/mipshop-mih-dt
>>     
>
> _______________________________________________
> MIPSHOP-MIH-DT mailing list
> MIPSHOP-MIH-DT@ietf.org
> https://www1.ietf.org/mailman/listinfo/mipshop-mih-dt
>   

_______________________________________________
MIPSHOP-MIH-DT mailing list
MIPSHOP-MIH-DT@ietf.org
https://www1.ietf.org/mailman/listinfo/mipshop-mih-dt