Re: [secdir] secdir review of draft-ietf-conex-mobile-05

Dirk Kutscher <> Fri, 11 September 2015 08:52 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id CD4E91B3FF4; Fri, 11 Sep 2015 01:52:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.611
X-Spam-Status: No, score=-2.611 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id EjPeuyI4V116; Fri, 11 Sep 2015 01:52:03 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BD3B51B3F70; Fri, 11 Sep 2015 01:51:59 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id D26B910A888; Fri, 11 Sep 2015 10:51:56 +0200 (CEST)
X-Virus-Scanned: Amavisd on Debian GNU/Linux (
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id fsA3OMzqnvIx; Fri, 11 Sep 2015 10:51:56 +0200 (CEST)
X-ENC: Last-Hop-TLS-encrypted
X-ENC: Last-Hop-TLS-encrypted
Received: from ( []) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id AF40510A0A2; Fri, 11 Sep 2015 10:51:48 +0200 (CEST)
Received: from ([]) by ([]) with mapi id 14.03.0210.002; Fri, 11 Sep 2015 10:51:48 +0200
From: Dirk Kutscher <>
To: "Xialiang (Frank)" <>, secdir <>, "" <>, "" <>
Thread-Topic: secdir review of draft-ietf-conex-mobile-05
Thread-Index: AdDsK7I1VyJu7Bl6QJ2ZXX3RKt6srwAQblSw
Date: Fri, 11 Sep 2015 08:51:48 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: de-DE, en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_82AB329A76E2484D934BBCA77E9F52499A07A349Hydraofficehd_"
MIME-Version: 1.0
Archived-At: <>
X-Mailman-Approved-At: Fri, 11 Sep 2015 04:05:12 -0700
Subject: Re: [secdir] secdir review of draft-ietf-conex-mobile-05
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 11 Sep 2015 08:52:07 -0000

Hi Frank,

thanks for the review.

The security issues you mentioned would apply to ConEx in general. The corresponding documents are discussing potential security issues: (also see the references)

We'd therefore rather not duplicate that discussion in conex-mobile.

Regarding the security risks you mentioned, I'd say it is questionable whether ConEx introduces additional issues for confidentiality (compared to IP alone).


From: Xialiang (Frank) []
Sent: Freitag, 11. September 2015 02:49
To: secdir;;
Subject: secdir review of draft-ietf-conex-mobile-05

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comment.

This memo describes a mobile communications use case for congestion exposure (ConEx) with a particular focus on those mobile communication networks that are architecturally similar to the 3GPP Evolved Packet System (EPS).

I have the following comments:

l  1. It should be helpful to consider the communication security between the ConEx senders and receivers such as the Confidentiality, data integrity and peer entity authentication in the security considerations part. Because in general, the corresponding risks are still possible to exist.

l  2. The authentication mechanism among all the elements of ConEx solution should also be considered to handle the condition of faked messages or invalid peer elements.

Recommendation:  Ready With Issues