ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Geopriv] Review of draft-ietf-geopriv-http-location-delivery-07

2008-05-27 09:33:17
from [Tschofenig, Hannes (NSN - FI/Espoo)] [Permanent Link] 
Hi Ekr, 

~snip~


  

When you operate a network and you want this stuff to work then you 
have to consider this aspect.
In the past a few folks have suggested to write a BCP about how 
different deployments may deal with this aspect but I believe it is 
far too early todo so for a BCP.


The problem is that I'm not sure that this is an issue that 
can be solved by the network operator. In the example I 
described, it sounds to me like new protocol work may be required.


So far, there was nobody who believed that new protocol work would be
required. 





The reference points to the device. What the Target uses 

this reference 

either for itself (if it wants to learn it's own 

location) or (more 

likely) it forwards that URI to someone else, for example 

to a PSAP.

    


OK, but then what protocol is spoken over that URI? (see my 
comments on S 8 below).


  

The answer is:


http://tools.ietf.org/id/draft-winterbottom-geopriv-deref-proto
col-00.txt

What's the status of that document?



At the last meeting the group agreed that this document should become a
WG item. 
I believe my co-author has submitted the document but it got stuck
somewhere. 

Thanks for reminding me to ping my co-authors again. 





Well, lots of protocols would benefit from not having IP address
spoofing, but again, you're making a levy on network operations
on a global scale, no?

  

If you want to deal with certain attacks then you may want todo 
something about it.


Sorry, I don't think I get what you're saying here.


Let me give you an example from the emergency services space where this
work could be  helpful. 

If the network operator wants to make location information available to
the end host then they have various protocol choices. However, there is
more beyond just using protocols we develop in the IETF, the IEEE or
some other SDOs develop. You need to give the Location Server a way to
perform location determination, i.e., it gets some identifier as input
and then it needs to determine the physical location of that node. 
In some environment that's simpler than in others and it also depends on
the quality of the location you would like to get back. 

Regardless of what identifier you pick for the lookup (let it be a MAC
address, IP address, etc.) you may want to think about cases where an
adversary uses an identifier of someone else. This would potentially
allow him to learn location of someone other than his own location. 

In certain networks this might indeed be possible, for a more detailed
discussion see
http://www.ietf.org/internet-drafts/draft-ietf-geopriv-l7-lcp-ps-07.txt

As a network operator you might want to evaluate whether your network
infrastructure is vulnerable to such an attack and to take the
corresponding steps to mitigate them. 

Ciao
Hannes
_______________________________________________
IETF mailing list
IETF(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  AW: draft-mayrhofer-geopriv-geo-uri-00, Alexander Mayrhofer
Next by Date:  RE: ISSN for RFC Series under Consideration, Glen Zorn
Previous by Thread:  RE: [Geopriv] [secdir] Review ofdraft-ietf-geopriv-http-location-delivery-07, Tschofenig, Hannes (NSN - FI/Espoo)
Next by Thread:  Re: [Geopriv] Review of draft-ietf-geopriv-http-location-delivery-07, Eric Rescorla
Indexes:  [Date] [Thread] [Top] [All Lists]