Re: [secdir] Secdir review of draft-ietf-netext-pmipv6-sipto-option-07

"Sri Gundavelli (sgundave)" <sgundave@cisco.com> Wed, 09 January 2013 05:37 UTC

Return-Path: <sgundave@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75F971F0CFA; Tue, 8 Jan 2013 21:37:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c5wEn8YYd+2p; Tue, 8 Jan 2013 21:37:46 -0800 (PST)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) by ietfa.amsl.com (Postfix) with ESMTP id E372D1F0CF8; Tue, 8 Jan 2013 21:37:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1818; q=dns/txt; s=iport; t=1357709861; x=1358919461; h=from:to:cc:subject:date:message-id:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=SViUtAElm0oenmbMDtSHNTMp/+FGPSFIOhjOcLCbPgY=; b=B74CtjCr701DBGJCT/4OqfSXOOaHF43JKXvBqbRHcPWX69YQd/3AlRpc bkevEKOE2T9yXm27pQzCsCG9eZThAssNggkGXK231cCvXLSXgeZTZY+Lx /zSKuC7mGMqzoLyV367YewZXstetM5ORAqxlo1iPlbMoBDDvjTpTda4SV M=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av8EAOwA7VCtJXHB/2dsb2JhbABFvV4Wc4IgAQQ6LRISAQgiFEIlAgQBDQUIiA+3IZA0YQOmVYJ0giY
X-IronPort-AV: E=Sophos;i="4.84,435,1355097600"; d="scan'208";a="160404050"
Received: from rcdn-core2-6.cisco.com ([173.37.113.193]) by rcdn-iport-3.cisco.com with ESMTP; 09 Jan 2013 05:37:39 +0000
Received: from xhc-rcd-x02.cisco.com (xhc-rcd-x02.cisco.com [173.37.183.76]) by rcdn-core2-6.cisco.com (8.14.5/8.14.5) with ESMTP id r095bdFo008948 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 9 Jan 2013 05:37:39 GMT
Received: from xmb-aln-x03.cisco.com ([169.254.6.233]) by xhc-rcd-x02.cisco.com ([173.37.183.76]) with mapi id 14.02.0318.004; Tue, 8 Jan 2013 23:37:39 -0600
From: "Sri Gundavelli (sgundave)" <sgundave@cisco.com>
To: Vincent Roca <vincent.roca@inria.fr>, IESG IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-netext-pmipv6-sipto-option.all@tools.ietf.org" <draft-ietf-netext-pmipv6-sipto-option.all@tools.ietf.org>
Thread-Topic: Secdir review of draft-ietf-netext-pmipv6-sipto-option-07
Thread-Index: AQHN7itvCHxP1JDz2ke5MpS4VCM/aQ==
Date: Wed, 09 Jan 2013 05:37:38 +0000
Message-ID: <24C0F3E22276D9438D6F366EB89FAEA8100E717B@xmb-aln-x03.cisco.com>
In-Reply-To: <6AF80A4F-EA0A-4E09-B304-043066124E4E@inria.fr>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.2.3.120616
x-originating-ip: [10.21.121.244]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <316B243D60321B44BE4AF247918E346B@cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailman-Approved-At: Wed, 09 Jan 2013 08:03:24 -0800
Cc: Brian Haberman <brian@innovationslab.net>, Basavaraj Patil <bpatil1@gmail.com>
Subject: Re: [secdir] Secdir review of draft-ietf-netext-pmipv6-sipto-option-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jan 2013 05:37:54 -0000

Hi Vincent,

Thanks for the review. Please see inline.





On 11/28/12 6:34 AM, "Vincent Roca" <vincent.roca@inria.fr> wrote:

>Hello,
>
>I have reviewed this document as part of the security directorate's
>ongoing effort to review all IETF documents being processed by the
>IESG.  These comments were written primarily for the benefit of the
>security area directors. Document editors and WG chairs should treat
>these comments just like any other last call comments.
>
>--
>
>This is a small document that describes PMIPv6 options to handle
>traffic offloading. Taken alone, the "security considerations" section
>would not be sufficient. However the RFC5213 (PMIPv6) provides
>the required security guidelines. In particular it clarifies that the use
>of IPsec is recommended between the MAG and LMA for signaling
>messages. The present document therefore inherits from these
>recommendations. I therefore agree with the authors.

[Sri] Ack.


>
>A remark. It is said:
> "This option is carried like any other
>   mobility header option as specified in [RFC5213] and does not require
>   any special security considerations."
>
>It's misleading IMHO. This option does require security considerations
>since an attacker, by sending fake signaling messages, may prevent
>a mobile network from offloading traffic which may lead to a DoS.
>You'd better say something like:
>
> "This option is carried like any other
>   mobility header option as specified in [RFC5213].
>   Therefore it inherits from [RFC5213] its security guidelines
>   and does not require any additional security considerations."

[Sri] Ok. Makes sense.


>
>Typos: 
>Section 1:
>s/its only about IPv4/it is only about IPv4/


[Sri] Ok

Regards
Sri


>
>
>Cheers,
>
>   Vincent