[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [mobile-ip] Last Call: Mobility Support in IPv6 to ProposedStandard
Hello,
I've continued the commentary of these issues under specific threads (Cc:
only mobile-ip).
Below just a few really brief summaries..
On Sat, 25 Jan 2003, Jari Arkko wrote:
> Hello Pekka and thanks for your in-depth review!
>
> Just a few quick comments below. For the rest, your e-mail has
> been filed as issues 232 through . (I'm hoping that folks can
> use an Subject line when discussing the individual items
> so its easier to track which issue we are discussing.)
>
> * The special case NS hack is being discussed in another thread,
> and that is filed as an issue #218. I believe folks are
> coming up with a potentially less hackish solution for this.
Good.
> * The 160/128 bit entropy issue: I don't think entropy has been
> a consideration in making the Kbm 20 bytes. Rather, where
> Kbm is used (HMAC_SHA1) you can give a 20 byte input. RFC
> 2104 allows smaller lengths as well, but I'm not sure it
> increases the security; it might even lower it. But yes,
> the true entropy is what originally came into the system.
> I still think we should not explicitly make the values
> shorter. But did you want an explanation somewhere about
> the implications of the size of the original inputs?
In short: yes. :-)
> * Appliances that don't have config knobs: I agree.
>
> * Route BAs via home agent: I think we need them to go
> directly to the sender. Otherwise, after a movement,
> it is very hard to see an error response. Or?
HA should always have the up-to-date location. This seems like an issue
only if network latency of MN->HA is greater than MN->CN->HA.
> * Retransmissions and mandatory BAs -- I think you are
> right, both A=1 and mandatory BA case needs to have
> retransmission rules and state.
Ok.
> * DHAAD security considerations. I think we have discussed
> this in the past.
I hope some of that would have ended up in sec cons then ;-).
> * Movement detection DAD & old addresses. I think all addresses
> have to be DADed per existing RFCs, if we have indeed
> seen a movement.
Perhaps not all -- globals are supposed to be globals and perhaps DAD for
them is a bit of a cornercase.
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings