[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: draft-ietf-v6ops-addr-select-ps-01.txt and draft-ietf-v6ops-addr-select-req-02.txt WGLC
Hi Brian,
thank you for your comments.
Brian E Carpenter wrote:
I think this is useful work. I have no substantive comments
on draft-ietf-v6ops-addr-select-ps. I have a couple of
concerns with draft-ietf-v6ops-addr-select-req-02:
> 2.8. Next-hop Selection
>
> The mechanism can control next-hop-selection behavior at hosts or
> cooperate with other routing mechanisms, such as routing protocols
> and RFC 4191 [RFC4191]. If the address-selection mechanism is used
> with a routing mechanism, the two mechanisms has to be able to work
> synchronousely.
Do we really want to mix these two issues? Wouldn't a better design
be to say that RFC 4191 *is* the solution to control next-hop selection
and choice of source address? Then the constraint here is only to allow
simultaneous usage with 4191.
Some mechanisms that are already proposed to us or to WG seem to be
able to have capability of next-hop selection as well as address selection.
So, we didn't yet narrow down to the simultaneous usage with the existing
routing mechanisms.
> 3. Security Considerations
>
> Incorrect address-selection can lead to serious security problems,
> such as session hijack. However, we should note that address-
> selection is ultimately decided by nodes and their users. There are
> no means to enforce a specific address-selection behavior upon every
> end-host from outside of the host. Therefore, a network
> administrator has to take countermeasures for unexpected address
> selection.
As a threat analysis, this seems a bit weak. Should we say after the
first sentence that this threat requires address-selection messages
to be authenticated?
Protection method depends on the mechanism for solving address selection
problems and also on the network environment. For example, if the mechanism
allows a host to receive control messages only from routers in his subnet
and his network isn't open to the public, authentication may not be necessary.
In this section, we described general security issues that can have effect
on the solution mechanisms. We didn't mention how to protect against these
security risks, because we thought it depends on the mechanisms and
network environment.
What does the last sentence mean? Does it mean that ingress
filtering needs to be implemented at the first-hop router?
Yes, I think ingress filter is an effective preventive method.
What I want to stress is that even if the network administrator delivers
address selection policies to every host, he should not believe his
policies is adopted in every host.
Best regards,
--
Arifumi Matsumoto
IP Technology Expert Team
Secure Communication Project
NTT Information Sharing Platform Laboratories
E-mail: arifumi@nttv6.net