Re: [Pana] IESG discussions on draft-ohba-pana-relay
Jari Arkko <jari.arkko@piuha.net> Thu, 30 June 2011 21:01 UTC
Return-Path: <jari.arkko@piuha.net>
X-Original-To: pana@ietfa.amsl.com
Delivered-To: pana@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 509A821F86C0 for <pana@ietfa.amsl.com>; Thu, 30 Jun 2011 14:01:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.314
X-Spam-Level:
X-Spam-Status: No, score=-102.314 tagged_above=-999 required=5 tests=[AWL=0.285, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EdtQNdcx2-4e for <pana@ietfa.amsl.com>; Thu, 30 Jun 2011 14:01:05 -0700 (PDT)
Received: from p130.piuha.net (p130.piuha.net [IPv6:2001:14b8:400::130]) by ietfa.amsl.com (Postfix) with ESMTP id A26A221F86BF for <pana@ietf.org>; Thu, 30 Jun 2011 14:01:05 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by p130.piuha.net (Postfix) with ESMTP id 8BE5E2CEA0; Fri, 1 Jul 2011 00:01:04 +0300 (EEST)
X-Virus-Scanned: amavisd-new at piuha.net
Received: from p130.piuha.net ([127.0.0.1]) by localhost (p130.piuha.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id izZKL9XSFITR; Fri, 1 Jul 2011 00:01:03 +0300 (EEST)
Received: from [IPv6:::1] (unknown [IPv6:2001:14b8:400::130]) by p130.piuha.net (Postfix) with ESMTP id 3424D2CC39; Fri, 1 Jul 2011 00:01:03 +0300 (EEST)
Message-ID: <4E0CE40F.10202@piuha.net>
Date: Thu, 30 Jun 2011 23:01:03 +0200
From: Jari Arkko <jari.arkko@piuha.net>
User-Agent: Thunderbird 2.0.0.24 (X11/20101027)
MIME-Version: 1.0
To: Alper Yegin <alper.yegin@yegin.org>
References: <4DF04217.3080304@toshiba.co.jp> <6491375641982933760@unknownmsgid> <BANLkTinVZ2Bvd6A+znQTiB7X-P6XXh3Cow@mail.gmail.com> <4E037743.2060602@gridmerge.com> <4E037A9D.8080200@piuha.net> <021a01cc3246$0b890390$229b0ab0$@yegin@yegin.org>
In-Reply-To: <021a01cc3246$0b890390$229b0ab0$@yegin@yegin.org>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: draft-ohba-pana-relay@tools.ietf.org, 'Stephen Farrell' <stephen.farrell@cs.tcd.ie>, pana@ietf.org
Subject: Re: [Pana] IESG discussions on draft-ohba-pana-relay
X-BeenThere: pana@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Protocol for carrying Authentication for Network Access <pana.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pana>, <mailto:pana-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pana>
List-Post: <mailto:pana@ietf.org>
List-Help: <mailto:pana-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jun 2011 21:01:06 -0000
I'm fine this version as well. jari Alper Yegin kirjoitti: > I think importing text from the other one Stephen had suggested would be an > improvement. Like this: > > > 3. Security of Messages Sent between PRE and PAA > > PRE/PAA security is OPTIONAL since PANA messages are designed to be > used in untrusted networks, but if cryptographic mechanism is > supported, it SHOULD be IPsec. When the device characteristics preclude > support for IPsec, an alternative mechanism such as DTLS [REF], or > link-layer cryptographic security, etc. may be used instead. This section > describes how IPsec [RFC4301] can be used for securing the PANA relay > messages. > > Alper > > > > > >> -----Original Message----- >> From: Jari Arkko [mailto:jari.arkko@piuha.net] >> Sent: Thursday, June 23, 2011 8:41 PM >> To: Yoshihiro Ohba; pana@ietf.org >> Cc: Stephen Farrell; draft-ohba-pana-relay@tools.ietf.org >> Subject: IESG discussions on draft-ohba-pana-relay >> >> We discussed this draft today. The remaining Discuss was about how >> mandatory we should make IPsec. You had discussed about a SHOULD with >> Stephen. I suggested that while interoperability is useful and >> mandatory-to-implement mechanisms are good for it, we also have to talk >> about how much value we bring with a security mechanism. In this case >> there are some issues like MITMs able to block PANA packets. However, >> some of these vulnerabilities are not helped by relay - PAA security, >> as >> the relay can still do bad things, and because ARP/ND vulnerabilities >> between the client and relay in any case make it possible to become a >> MITM. Stephen had some suggested text that I agree with: >> >> "PRE/PAA security is OPTIONAL since PANA messages are designed to be >> used in untrusted networks, but if cryptographic mechanism is >> supported, >> it SHOULD be IPsec." >> >> Jari >> > > >
- [Pana] Fwd: [IANA #454490] Last Call: <draft-ohba… Yoshihiro Ohba
- Re: [Pana] Fwd: [IANA #454490] Last Call: <draft-… Alper Yegin
- Re: [Pana] Fwd: [IANA #454490] Last Call: <draft-… Yoshihiro Ohba
- Re: [Pana] Fwd: [IANA #454490] Last Call: <draft-… Ralph Droms
- Re: [Pana] Fwd: [IANA #454490] Last Call: <draft-… Yoshihiro Ohba
- [Pana] IESG discussions on draft-ohba-pana-relay Jari Arkko
- Re: [Pana] IESG discussions on draft-ohba-pana-re… Yoshihiro Ohba
- Re: [Pana] Fwd: [IANA #454490] Last Call: <draft-… Yoshihiro Ohba
- Re: [Pana] IESG discussions on draft-ohba-pana-re… Glen Zorn
- Re: [Pana] Fwd: [IANA #454490] Last Call: <draft-… Alper Yegin
- Re: [Pana] IESG discussions on draft-ohba-pana-re… Alper Yegin
- Re: [Pana] IESG discussions on draft-ohba-pana-re… Alper Yegin
- Re: [Pana] IESG discussions on draft-ohba-pana-re… Jari Arkko
- Re: [Pana] IESG discussions on draft-ohba-pana-re… Jari Arkko