On Sep 1, 2009, at 3:35 PM, Ahmad Muhanna wrote:
[...]
So is it true that using bulk revocation without IPSec could make it
possible for an attacker to masquerade as an authorized party, and
delete large numbers of bindings with a single BRI?
[Ahmad]
Well, we need to be a little careful here:) I think what you meant to
say here is without any security mechanism.
In particular, without an authentication mechanism.
So, If no valid SA is being used to protect the binding revocation
signaling and, I assume, the MIP6/PMIP6 signaling, then a lot of bad
things could happen.
Right, and those bad things seem at least slightly worse with BRI than
without it, due to the bulk revocation mechanism--so additional
mention seems appropriate.
Or there
underlying architectural features that prevent or make this hard?
[Ahmad]
I am not quite sure what you mean by the underlying architectural
features in this context. But I can say the following: If no security
mechanism (SA) is being used, neither BU/BA nor BRI/BRA are allowed to
be used for establishing nor revoking mobility sessions.
Hmm--maybe this is all some confusion on my part. Somewhere I got the
impression the requirement to use IPSec for BU messages was SHOULD
strength. But in rereading RFC3775, I see it at MUST strength. But I
am then confused by the language in this draft that says "If IPSec is
used..."
So, to close on this--do you consider the _use_ of IPSec for BRI to be
a SHOULD or MUST? If it's a MUST, then I withdraw my comments about
"what happens if you don't use IPSec?", and apologize for the confusion.
think just discussing that in the SecCon would go a long way towards
addressing my concerns.)
[Ahmad]
I am in the process of rewriting the security section and the whole
draft to address all comments. Will revaluate before publishing
whether
we need anything specific here.
Okay.
Thanks!
Ben.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf