Re: [secdir] Token (was RE: Secdir review of draft-ohba-pana-relay)

Alan DeKok <aland@deployingradius.com> Mon, 13 December 2010 16:13 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4DF0A3A6DDA; Mon, 13 Dec 2010 08:13:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.578
X-Spam-Level:
X-Spam-Status: No, score=-102.578 tagged_above=-999 required=5 tests=[AWL=0.021, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OW53gkZ0O4-K; Mon, 13 Dec 2010 08:13:22 -0800 (PST)
Received: from liberty.deployingradius.com (liberty.deployingradius.com [88.191.76.128]) by core3.amsl.com (Postfix) with ESMTP id 7A8B53A6DD2; Mon, 13 Dec 2010 08:13:22 -0800 (PST)
Message-ID: <4D064683.30009@deployingradius.com>
Date: Mon, 13 Dec 2010 17:14:59 +0100
From: Alan DeKok <aland@deployingradius.com>
User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228)
MIME-Version: 1.0
To: Alper Yegin <alper.yegin@yegin.org>
References: <4D009D34.1020809@deployingradius.com> <4D01DABF.6060604@toshiba.co.jp> <001101cb9aa0$367b3480$a3719d80$@yegin@yegin.org>
In-Reply-To: <001101cb9aa0$367b3480$a3719d80$@yegin@yegin.org>
X-Enigmail-Version: 0.96.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: 'Yoshihiro Ohba' <yoshihiro.ohba@toshiba.co.jp>, secdir@ietf.org, draft-ohba-pana-relay@tools.ietf.org, margaretw42@gmail.com, pana@ietf.org, paduffy@cisco.com, robert.cragie@gridmerge.com, samitac@ipinfusion.com, 'Ralph Droms' <rdroms.ietf@gmail.com>
Subject: Re: [secdir] Token (was RE: Secdir review of draft-ohba-pana-relay)
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Dec 2010 16:13:23 -0000

Alper Yegin wrote:
> Arbitrary traffic cannot pass the validation on the PaC, as the sequence
> numbers need to match. And there is also state machine match needed. PaC's
> is in certain state and would not react to any arbitrary message unless the
> message is expected in the current state.

  If the traffic is sent to the PANA port used by the PaC.  The traffic
*can* be sent to other ports.  As it stands today, the draft doesn't
appear to prevent this.

  The idea of the token is to add limited state to the PRE.  It will
only send messages that are (a) valid PANA messages, (b) to the IP of a
PaC, and (c) to the port used by the PaC used to send PANA messages.

  Using DTLS in between the PRE and PAA would achieve the same effect.
The possibility of a rogue PAA is removed, so no token is required.

  Alan DeKok.