Re: [secdir] Secdir review of draft-ietf-mext-flow-binding-06
Tina TSOU <tena@huawei.com> Thu, 06 May 2010 02:01 UTC
Return-Path: <tena@huawei.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 382CE3A6860 for <secdir@core3.amsl.com>; Wed, 5 May 2010 19:01:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -97.875
X-Spam-Level:
X-Spam-Status: No, score=-97.875 tagged_above=-999 required=5 tests=[AWL=-1.993, BAYES_50=0.001, FAKE_REPLY_C=2.012, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, HTML_MESSAGE=0.001, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NQW+97xbu47c for <secdir@core3.amsl.com>; Wed, 5 May 2010 19:01:05 -0700 (PDT)
Received: from szxga03-in.huawei.com (unknown [119.145.14.66]) by core3.amsl.com (Postfix) with ESMTP id BC2053A67AC for <secdir@ietf.org>; Wed, 5 May 2010 19:01:04 -0700 (PDT)
Received: from huawei.com (szxga03-in [172.24.2.9]) by szxga03-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0L1Z002AE6X57U@szxga03-in.huawei.com> for secdir@ietf.org; Thu, 06 May 2010 10:00:41 +0800 (CST)
Received: from huawei.com ([172.24.2.119]) by szxga03-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0L1Z002TP6X5EJ@szxga03-in.huawei.com> for secdir@ietf.org; Thu, 06 May 2010 10:00:41 +0800 (CST)
Received: from z00147053k ([10.70.39.52]) by szxml04-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTPA id <0L1Z002ZF6X3FR@szxml04-in.huawei.com> for secdir@ietf.org; Thu, 06 May 2010 10:00:41 +0800 (CST)
Date: Thu, 06 May 2010 10:00:39 +0800
From: Tina TSOU <tena@huawei.com>
To: draft-ietf-mext-flow-binding@tools.ietf.org, secdir@ietf.org
Message-id: <8188CB2834004632850B73CB7F6EDD84@china.huawei.com>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
X-Mailer: Microsoft Outlook Express 6.00.2900.5843
Content-type: multipart/alternative; boundary="Boundary_(ID_dB2uQgYa1anwoTMt5GuUDA)"
X-Priority: 3
X-MSMail-priority: Normal
Cc: mext-chairs@tools.ietf.org
Subject: Re: [secdir] Secdir review of draft-ietf-mext-flow-binding-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 May 2010 02:01:06 -0000
The Security Considerations section must at least point to an RFC in which the relevant security analysis for binding updates and acknowledgements is documented. The authors may consider adding the following text: "This specification does not open up new fundamental lines of attack on communications between the MN and its correspondent nodes. However, it allows attacks of a finer granularity than those on the basic binding update. For instance, the attacker can divert or replicate flows of special interest to the attacker to an address of the attacker's choosing, if the attacker is able to impersonate the MN or modify a binding update sent by the MN. Hence it becomes doubly critical that authentication and integrity services are applied to binding updates." B. R. Tina http://tinatsou.weebly.com/contact.html ----- Original Message ----- From: Tina TSOU To: secdir@ietf.org ; draft-ietf-mext-flow-binding@tools.ietf.org Cc: mext-chairs@tools.ietf.org Sent: Wednesday, May 05, 2010 5:45 PM Subject: Re: Secdir review of draft-ietf-mext-flow-binding-06 Resending to the correct email addresses of the authors... ----- Original Message ----- From: Tina TSOU To: secdir@ietf.org Cc: draft-ietf-mext-flow-binding-06@tools.ietf.org ; mext-chairs@tools.ietf.org Sent: Wednesday, May 05, 2010 5:05 PM Subject: Secdir review of draft-ietf-mext-flow-binding-06 Hi, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Some of my comments are following. Comment 1: The title of this document focuses on flow binding in Mobile IPv6 and NEMO, However it is not clear how flow binding is supported in the NEMO? Is the mobile router operation in NEMO same as mobile node operation in Mobile IPv6? Comment 2: Is flow summary mobility option is one sub-option of Flow Identification Mobility Option or one independent new mobility option? Comment 3: Should the HA, CN and MAP all support this specification? If HA does not support, how to direct inbound flows to specific addresses since one or more flows may bind to a care-of address? B. R. Tina http://tinatsou.weebly.com/contact.html