Re: [secdir] pana-relay security considerations

Alan DeKok <aland@deployingradius.com> Fri, 07 January 2011 12:52 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 80BAE3A6849; Fri, 7 Jan 2011 04:52:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.589
X-Spam-Level:
X-Spam-Status: No, score=-102.589 tagged_above=-999 required=5 tests=[AWL=0.010, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YWqoEnWVfMzX; Fri, 7 Jan 2011 04:52:48 -0800 (PST)
Received: from liberty.deployingradius.com (liberty.deployingradius.com [88.191.76.128]) by core3.amsl.com (Postfix) with ESMTP id B31A33A6847; Fri, 7 Jan 2011 04:52:48 -0800 (PST)
Message-ID: <4D270D1D.8090006@deployingradius.com>
Date: Fri, 07 Jan 2011 13:54:53 +0100
From: Alan DeKok <aland@deployingradius.com>
User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228)
MIME-Version: 1.0
To: Alper Yegin <alper.yegin@yegin.org>
References: <4D009D34.1020809@deployingradius.com> <4D01DABF.6060604@toshiba.co.jp> <001101cb9aa0$367b3480$a3719d80$@yegin@yegin.org> <4D064683.30009@deployingradius.com> <4D07A874.4010702@gridmerge.com> <4D07D090.9020407@deployingradius.com> <070601cba3ad$63852150$2a8f63f0$@yegin@yegin.org>
In-Reply-To: <070601cba3ad$63852150$2a8f63f0$@yegin@yegin.org>
X-Enigmail-Version: 0.96.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: secdir@ietf.org, paduffy@cisco.com, margaretw42@gmail.com, pana@ietf.org, robert.cragie@gridmerge.com, samitac@ipinfusion.com, 'Ralph Droms' <rdroms.ietf@gmail.com>
Subject: Re: [secdir] pana-relay security considerations
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jan 2011 12:52:49 -0000

Alper Yegin wrote:
> Hi Alan, Margaret,
> 
> Based on the feedback we have received from you, we have enhanced the
> security considerations section of pana-relay I-D as follows.

  It looks good.  I'd like to know if the PRE can relay messages from
the PAA to the PaC on a non-PANA port.  If so, that needs to be
addressed somehow.  Saying "use DTLS" might not be enough.

  If the PaC always sends packets from the PANA port, then the text
should be updated to say that the PAA only sends packets to the PANA
port on the PaC.

  Alan DeKok.