Re: [secdir] secdir review of draft-ietf-mext-binary-ts-04

"Tsirtsis, George" <> Mon, 08 March 2010 15:38 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 70C253A69D9; Mon, 8 Mar 2010 07:38:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id g2qkqU+8M2kd; Mon, 8 Mar 2010 07:38:03 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id D058A3A69BA; Mon, 8 Mar 2010 07:38:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=qcdkim; t=1268062688; x=1299598688; h=from:to:date:subject:thread-topic:thread-index: message-id:references:in-reply-to:accept-language: content-language:x-ms-has-attach:x-ms-tnef-correlator: acceptlanguage:content-type:content-transfer-encoding: mime-version; z=From:=20"Tsirtsis,=20George"=20<> |To:=20"Joseph=20Salowey=20(jsalowey)"=20<jsalowey@cisco. com>,=20""=0D=0A=09<>,=20"secdi"=20<>,=0D=0A=09"draft-ietf-mext"=0D=0A=09<draft-ietf-mext-b>|Date:=20Mon,=208=20Mar=20201 0=2007:38:04=20-0800|Subject:=20RE:=20secdir=20review=20o f=20draft-ietf-mext-binary-ts-04|Thread-Topic:=20secdir =20review=20of=20draft-ietf-mext-binary-ts-04 |Thread-Index:=20Acq+WMKoAdFLpEHYSLas24Gy8TOzvQAfAchA |Message-ID:=20<B79A55A4EE536D478C0C14AC3DA2AECE0216C4F59>|References:=20<AC1CFD94F59> |In-Reply-To:=20<AC1CFD94F59A264488DC2BEC3E890DE509C5B97F>|Accept-Language:=20en-US |Content-Language:=20en-US|X-MS-Has-Attach: |X-MS-TNEF-Correlator:|acceptlanguage:=20en-US |Content-Type:=20text/plain=3B=20charset=3D"us-ascii" |Content-Transfer-Encoding:=20quoted-printable |MIME-Version:=201.0; bh=qQmyBNAwC/+lfArae/9jAABTUKGM8kXWY5/SdLI2I2s=; b=p/i2REfhFQEOWQ9b2UebY7CLVChc+f6Wkk7ZKj42lhRdNG4WN1gN2pPC TE84rN+Z4UAkSGEaNppI2+A9k/p/DMWMK8Ns3mk3NhglOa8yOPZa5WDWl 0+K+2wGHr/9TQ7dOt3yfkX6wuQvtI5xWW5BsBpiawQPyTu6iUoCSl7VNQ E=;
X-IronPort-AV: E=McAfee;i="5400,1158,5914"; a="35808326"
Received: from ([]) by with ESMTP; 08 Mar 2010 07:38:07 -0800
X-IronPort-AV: E=Sophos;i="4.49,600,1262592000"; d="scan'208";a="50654666"
Received: from (HELO ([]) by with ESMTP/TLS/RC4-MD5; 08 Mar 2010 07:38:07 -0800
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Mon, 8 Mar 2010 07:37:51 -0800
Received: from ([]) by ([]) with mapi; Mon, 8 Mar 2010 07:37:51 -0800
From: "Tsirtsis, George" <>
To: "Joseph Salowey (jsalowey)" <>, "" <>, "" <>, "" <>
Date: Mon, 8 Mar 2010 07:38:04 -0800
Thread-Topic: secdir review of draft-ietf-mext-binary-ts-04
Thread-Index: Acq+WMKoAdFLpEHYSLas24Gy8TOzvQAfAchA
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailman-Approved-At: Mon, 08 Mar 2010 07:41:44 -0800
Subject: Re: [secdir] secdir review of draft-ietf-mext-binary-ts-04
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 08 Mar 2010 15:38:06 -0000

Thanks Joseph, some comments inline...

-----Original Message-----
From: Joseph Salowey (jsalowey) [] 
Sent: Monday, March 08, 2010 12:46 AM
Subject: secdir review of draft-ietf-mext-binary-ts-04

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

I didn't find any security issues in the draft.  

GT> That's good news, thanks.

The security
considerations section points to draft-ietf-mext-flow-binding-05.  The
referenced section is a bit thin and doesn't really say what bad things
could happen if the binding is falsified.  If unprotected bindings are
not an option, this may be OK.  

GT> Unprotected bindings are NOT an option since all bindings (including the extensions defined in draft-ietf-mext-flow-binding-05 and in draft-ietf-mext-binary-ts-04) are authenticated as per base RFC3775 MIPv6 specification.

If they are an option it would be good
to have a better understanding of what the risks are with the various
levels of protection. If this is done it might be possible that there
are specific considerations around some of the data types defined in the
draft-ietf-mext-binary-ts-04, but I don't think that would be the case.