Attempt to group REQ-6 and REQ-7 together: REQ-6: Mutual authentication and authorization to access to the DMM service. The protocol solutions for DMM SHALL consider security, for example authentication and authorization mechanisms that allow a legitimate mobile host/router to access to the DMM service, protection of signaling messages of the protocol solutions in terms of authentication, data integrity, and data confidentiality, opti-in or opt-out data confidentiality to signaling messages depending on network environments or user requirements.
REQ-6M (Motivation and problem statement) Mutual authentication and authorization between a mobile host/router and an access router providing the DMM service to the mobile host/router are required to prevent potential attacks in the access network of the DMM service. Otherwise, various attacks such as impersonation, denial of service, man-in-the-middle attacks, etc are present to obtain illegitimate access or to collapse the DMM service. Signaling messages are subject to various attacks since those messages carry context of a mobile host/router. For instance, a malicious node can forge and send a number of signaling messages to redirect traffic to a specific node. The result of such an attack is both the specific node becomes under a denial of service attack and other nodes do not receive their traffic. As signaling messages travel over the Internet, the end-to-end security is required. H Anthony Chan From: Jong-Hyouk Lee [mailto:[email protected]] Sent: Friday, May 18, 2012 7:09 AM To: jouni korhonen Cc: h chan; [email protected] Subject: Re: [DMM] draft requirement REQ-6: authentication and authorization Jouni, This requirement is for access network security between a mobile node and an access router. The actual link is required to be protected with L2 (link-layer) or L3 (IP layer) security protection. Then, it is expected to be protected with mostly L2 security protection; in this case, the use of SeND is not required. If L2 security protection is not provided for access network security, L3 security protection, e.g., SeND, is required. When we developed this requirement, we didn’t consider to rule out the use of NDP in any case. Cheers. On Fri, May 18, 2012 at 2:07 AM, jouni korhonen <[email protected]<mailto:[email protected]>> wrote: On May 7, 2012, at 9:14 PM, h chan wrote: > REQ-6: Mutual authentication and authorization to access to the DMM service. > The protocol solutions for DMM SHALL rely on mutual authentication and > authorization mechanisms that allow a legitimate mobile host/router to access > to the DMM service. Would this requirement rule out e.g. use of IPv6 NDP for DMM purposes unless SeND is also deployed? - Jouni > > REQ-6M (Motivation and problem statement) > Mutual authentication and authorization between a mobile host/router and an > access router providing the DMM service to the mobile host/router are > required to prevent potential attacks in the access network of the DMM > service. Otherwise, various attacks such as impersonation, denial of service, > man-in-the-middle attacks, etc are present to obtain illegitimate access or > to collapse the DMM service. > > (The above has been drafted with contributions, inputs and discussions from > various people. Additional contributions and comments are most welcome.) > > H Anthony Chan > > > _______________________________________________ > dmm mailing list > [email protected]<mailto:[email protected]> > https://www.ietf.org/mailman/listinfo/dmm _______________________________________________ dmm mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/dmm -- RSM Department, TELECOM Bretagne, France Jong-Hyouk Lee, living somewhere between /dev/null and /dev/random #email: jonghyouk (at) gmail (dot) com #webpage: http://sites.google.com/site/hurryon/
_______________________________________________ dmm mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmm
