[MEXT] [RFC3775 changes] Closure on on "Use of DHAAD mechanism"

To: mext at ietf.org
Subject: [MEXT] [RFC3775 changes] Closure on on "Use of DHAAD mechanism"
From: Julien Laganier <julien.IETF at laposte.net>
Date: Thu, 27 Mar 2008 10:24:49 +0100
Delivered-to: ietfarch-mip6-web-archive at core3.amsl.com
Delivered-to: mext at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:content-disposition:from:to:subject:date:user-agent:mime-version:content-type:content-transfer-encoding:message-id:sender; bh=i5d/Et1A7GIFXOWNyrR4RrwbdOPCZp72i8fHb/larpk=; b=fcrXweX5N1E+zt8+r3gVTsCoTDksxI1ElwhV8CRbGFUDm9TOGbux/UEPu/1yi35juHYOP3pKTiylRQDYj/YetgOAwr74wsTRI8++mVkEGIrx+W8OYG2vnOFsg0bMhgVUtQR5cLhLIDuVDsBKDf19QXqC08GXfQs4nrA6tBPZy5o=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=content-disposition:from:to:subject:date:user-agent:mime-version:content-type:content-transfer-encoding:message-id:sender; b=SDvJAUizIfJpcnf4lNNHsoGBzKTKBu8hip2p844hvJ9AlqIlSHBSW0c6wHLrd/ljlQTQxM/wxuw2HgAA/51hj+e9K8+/Jji8rYRK1qaeAkECvhYX1EGZECmEVji+LW+99Bopl5HVG/qjoz0LsbTWtQnjaFSOaiQx/XfrYfDh9tg=
List-archive: <http://www.ietf.org/pipermail/mext>
List-help: <mailto:mext-request@ietf.org?subject=help>
List-id: Mobile IPv6 EXTensions WG <mext.ietf.org>
List-post: <mailto:mext@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=unsubscribe>
Sender: mext-bounces at ietf.org
User-agent: KMail/1.9.6 (enterprise 0.20070907.709405)

Folks,

We really need to conclude this discussion. So far 75 (seventy-five!) 
messages have been exchanged on the topic. The new text is supported by 
Georges and JMC, while Alex and Vijay disagree.

What do other people on the list think?

--julien

------------------------------------------------------------------------
OLD:

15.5.  Dynamic Home Agent Address Discovery

   The dynamic home agent address discovery function could be used to
   learn the addresses of home agents in the home network.

   The ability to learn addresses of nodes may be useful to attackers
   because brute-force scanning of the address space is not practical
   with IPv6.  Thus, they could benefit from any means which make
   mapping the networks easier.  For example, if a security threat
   targeted at routers or even home agents is discovered, having a
   simple ICMP mechanism to easily find out possible targets may prove
   to be an additional (though minor) security risk.

   Apart from discovering the address(es) of home agents, attackers will
   not be able to learn much from this information, and mobile nodes
   cannot be tricked into using wrong home agents, as all other
   communication with the home agents is secure.

NEW:

15.5.  Dynamic Home Agent Address Discovery

   The dynamic home agent address discovery function could be used to
   learn the addresses of home agents in the home network.

   The ability to learn addresses of nodes may be useful to attackers
   because brute-force scanning of the address space is not practical
   with IPv6.  Thus, they could benefit from any means which make
   mapping the networks easier.  For example, if a security threat
   targeted at routers or even home agents is discovered, having a
   simple ICMP mechanism to easily find out possible targets may prove
   to be an additional (though minor) security risk.

*  This document does not define any authentication mechanism for 
*  dynamic home agent address discovery messages. Therefore the home
*  agent does not know the identity of the mobile node that requested
*  the list of home agents.

   Apart from discovering the address(es) of home agents, attackers will
   not be able to learn much from this information, and mobile nodes
   cannot be tricked into using wrong home agents, as all other
   communication with the home agents is secure.

*  In cases where security is needed, it is advisable to consider the
*  use of MIPv6 bootstrapping [Boot-Integrated] [Boot-Split], in
*  conjunction with security mechanisms suggested in these
*  specifications, instead of the DHAAD mechanism.
*
*  Finally, it should be noted that the DHAAD mechanism is based on
*  ICMP and as such, it will not work in networks that are configured
*  to block ICMP messages.
------------------------------------------------------------------------
_______________________________________________
MEXT mailing list
MEXT at ietf.org
https://www.ietf.org/mailman/listinfo/mext

Follow-Ups:
- [MEXT] Issue #2: Recommendation for closure on on "Use of DHAAD mechanism"
  - From: Charles E. Perkins
- Re: [MEXT] [RFC3775 changes] Closure on on "Use of DHAAD mechanism"
  - From: Ahmad Muhanna

Prev by Date: Re: [MEXT] simultaneous mobility
Next by Date: [MEXT] Consensus call on Home Link Detection
Previous by thread: [MEXT] simultaneous mobility
Next by thread: Re: [MEXT] [RFC3775 changes] Closure on on "Use of DHAAD mechanism"
Index(es):
- Date
- Thread

[MEXT] [RFC3775 changes] Closure on on "Use of DHAAD mechanism"

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.