Re: [MEXT] [RFC3775 changes] Closure on on "Use of DHAAD mechanism"

To: "Julien Laganier" <julien.IETF at laposte.net>, <mext at ietf.org>
Subject: Re: [MEXT] [RFC3775 changes] Closure on on "Use of DHAAD mechanism"
From: "Ahmad Muhanna" <amuhanna at nortel.com>
Date: Thu, 27 Mar 2008 09:00:18 -0500
Delivered-to: ietfarch-mip6-web-archive at core3.amsl.com
Delivered-to: mext at core3.amsl.com
In-reply-to: <200803271024.49601.julien.IETF at laposte.net>
List-archive: <http://www.ietf.org/pipermail/mext>
List-help: <mailto:mext-request@ietf.org?subject=help>
List-id: Mobile IPv6 EXTensions WG <mext.ietf.org>
List-post: <mailto:mext@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=unsubscribe>
References: <200803271024.49601.julien.IETF at laposte.net>
Sender: mext-bounces at ietf.org
Thread-index: AciP7GZ+zs06Z2mKQ9+CXfGx/2Oi0QAI6nEw
Thread-topic: [MEXT] [RFC3775 changes] Closure on on "Use of DHAAD mechanism"

Hi Julien,

This is tricky without reading the 75 messages! In order to understand the views of both sides. However, just by looking at the delta in the text, I would like to make the following observation & opinion:

It seems that all the new text is already well understood (assuming that the reader is somewhat aware of Client MIP6 and IPv6 etc.) and does not add any new critical information. Probably the only role of the NEW text is to make RFC3775 DHAAD functionality looks bad! I believe the current text is quite clear enough and does not need any further clarification. IMO, we MUST be careful when we introduce a protocol with a specific functionality and at the same time documented risk to come at a later time and trash that functionality by updating the same document! All the other referenced proposals are there and people are aware of them anyway.


Therefore, I would like to support keeping the OLD TEXT as is without modification.

Thanks!

Regards,
Ahmad
 

> -----Original Message-----
> From: mext-bounces at ietf.org [mailto:mext-bounces at ietf.org] On 
> Behalf Of Julien Laganier
> Sent: Thursday, March 27, 2008 4:25 AM
> To: mext at ietf.org
> Subject: [MEXT] [RFC3775 changes] Closure on on "Use of DHAAD 
> mechanism"
> 
> Folks,
> 
> We really need to conclude this discussion. So far 75 
> (seventy-five!) messages have been exchanged on the topic. 
> The new text is supported by Georges and JMC, while Alex and 
> Vijay disagree.
> 
> What do other people on the list think?
> 
> --julien
> 
> --------------------------------------------------------------
> ----------
> OLD:
> 
> 15.5.  Dynamic Home Agent Address Discovery
> 
>    The dynamic home agent address discovery function could be used to
>    learn the addresses of home agents in the home network.
> 
>    The ability to learn addresses of nodes may be useful to attackers
>    because brute-force scanning of the address space is not practical
>    with IPv6.  Thus, they could benefit from any means which make
>    mapping the networks easier.  For example, if a security threat
>    targeted at routers or even home agents is discovered, having a
>    simple ICMP mechanism to easily find out possible targets may prove
>    to be an additional (though minor) security risk.
> 
>    Apart from discovering the address(es) of home agents, 
> attackers will
>    not be able to learn much from this information, and mobile nodes
>    cannot be tricked into using wrong home agents, as all other
>    communication with the home agents is secure.
> 
> NEW:
> 
> 15.5.  Dynamic Home Agent Address Discovery
> 
>    The dynamic home agent address discovery function could be used to
>    learn the addresses of home agents in the home network.
> 
>    The ability to learn addresses of nodes may be useful to attackers
>    because brute-force scanning of the address space is not practical
>    with IPv6.  Thus, they could benefit from any means which make
>    mapping the networks easier.  For example, if a security threat
>    targeted at routers or even home agents is discovered, having a
>    simple ICMP mechanism to easily find out possible targets may prove
>    to be an additional (though minor) security risk.
> 
> *  This document does not define any authentication mechanism for
> *  dynamic home agent address discovery messages. Therefore the home
> *  agent does not know the identity of the mobile node that requested
> *  the list of home agents.
> 
>    Apart from discovering the address(es) of home agents, 
> attackers will
>    not be able to learn much from this information, and mobile nodes
>    cannot be tricked into using wrong home agents, as all other
>    communication with the home agents is secure.
> 
> *  In cases where security is needed, it is advisable to consider the
> *  use of MIPv6 bootstrapping [Boot-Integrated] [Boot-Split], in
> *  conjunction with security mechanisms suggested in these
> *  specifications, instead of the DHAAD mechanism.
> *
> *  Finally, it should be noted that the DHAAD mechanism is based on
> *  ICMP and as such, it will not work in networks that are configured
> *  to block ICMP messages.
> --------------------------------------------------------------
> ----------
> _______________________________________________
> MEXT mailing list
> MEXT at ietf.org
> https://www.ietf.org/mailman/listinfo/mext
> 
_______________________________________________
MEXT mailing list
MEXT at ietf.org
https://www.ietf.org/mailman/listinfo/mext

References:
- [MEXT] [RFC3775 changes] Closure on on "Use of DHAAD mechanism"
  - From: Julien Laganier

Prev by Date: Re: [MEXT] Mobile Network Prefix forwarding
Next by Date: Re: [MEXT] [RFC3775 changes] References to Bootstrapping
Previous by thread: [MEXT] [RFC3775 changes] Closure on on "Use of DHAAD mechanism"
Next by thread: [MEXT] Issue #2: Recommendation for closure on on "Use of DHAAD mechanism"
Index(es):
- Date
- Thread

Re: [MEXT] [RFC3775 changes] Closure on on "Use of DHAAD mechanism"

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.