[Pana] IESG discussions on draft-ohba-pana-relay

Jari Arkko <jari.arkko@piuha.net> Thu, 23 June 2011 17:40 UTC

Return-Path: <jari.arkko@piuha.net>
X-Original-To: pana@ietfa.amsl.com
Delivered-To: pana@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CE7711E817E for <pana@ietfa.amsl.com>; Thu, 23 Jun 2011 10:40:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.465
X-Spam-Level:
X-Spam-Status: No, score=-102.465 tagged_above=-999 required=5 tests=[AWL=0.134, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ia4do2xIuuuX for <pana@ietfa.amsl.com>; Thu, 23 Jun 2011 10:40:51 -0700 (PDT)
Received: from p130.piuha.net (p130.piuha.net [IPv6:2001:14b8:400::130]) by ietfa.amsl.com (Postfix) with ESMTP id 7C38911E8172 for <pana@ietf.org>; Thu, 23 Jun 2011 10:40:51 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by p130.piuha.net (Postfix) with ESMTP id 695AC2CC3B; Thu, 23 Jun 2011 20:40:46 +0300 (EEST)
X-Virus-Scanned: amavisd-new at piuha.net
Received: from p130.piuha.net ([127.0.0.1]) by localhost (p130.piuha.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YRZxBVbGBEBN; Thu, 23 Jun 2011 20:40:46 +0300 (EEST)
Received: from [IPv6:::1] (unknown [IPv6:2001:14b8:400::130]) by p130.piuha.net (Postfix) with ESMTP id D1BB62CC2F; Thu, 23 Jun 2011 20:40:45 +0300 (EEST)
Message-ID: <4E037A9D.8080200@piuha.net>
Date: Thu, 23 Jun 2011 20:40:45 +0300
From: Jari Arkko <jari.arkko@piuha.net>
User-Agent: Thunderbird 2.0.0.24 (X11/20101027)
MIME-Version: 1.0
To: Yoshihiro Ohba <yoshihiro.ohba@toshiba.co.jp>, pana@ietf.org
References: <4DF04217.3080304@toshiba.co.jp> <6491375641982933760@unknownmsgid> <BANLkTinVZ2Bvd6A+znQTiB7X-P6XXh3Cow@mail.gmail.com> <4E037743.2060602@gridmerge.com>
In-Reply-To: <4E037743.2060602@gridmerge.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Cc: draft-ohba-pana-relay@tools.ietf.org, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Subject: [Pana] IESG discussions on draft-ohba-pana-relay
X-BeenThere: pana@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Protocol for carrying Authentication for Network Access <pana.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pana>, <mailto:pana-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pana>
List-Post: <mailto:pana@ietf.org>
List-Help: <mailto:pana-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jun 2011 17:40:52 -0000

We discussed this draft today. The remaining Discuss was about how 
mandatory we should make IPsec. You had discussed about a SHOULD with 
Stephen. I suggested that while interoperability is useful and 
mandatory-to-implement mechanisms are good for it, we also have to talk 
about how much value we bring with a security mechanism. In this case 
there are some issues like MITMs able to block PANA packets. However, 
some of these vulnerabilities are not helped by relay - PAA security, as 
the relay can still do bad things, and because ARP/ND vulnerabilities 
between the client and relay in any case make it possible to become a 
MITM. Stephen had some suggested text that I agree with:

"PRE/PAA security is OPTIONAL since PANA messages are designed to be 
used in untrusted networks, but if cryptographic mechanism is supported, 
it SHOULD be IPsec."

Jari