Hello, Stephen, Thank you for your review and comments, please confirm my in-line responses.
2017-03-06 Z.W. Yan 发件人: Stephen Farrell 发送时间: 2017-03-03 00:48:40 收件人: The IESG 抄送: draft-ietf-dmm-hnprenum; dmm-chairs; dmm; max.ldp 主题: [DMM] Stephen Farrell's No Objection on draft-ietf-dmm-hnprenum-06:(with COMMENT) Stephen Farrell has entered the following ballot position for draft-ietf-dmm-hnprenum-06: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-dmm-hnprenum/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Section 7 says: "The protection of UPN and UPA messages in this document follows [RFC5213] and [RFC7077]." I'm not clear if "follows" means the same as "MUST be protected using end-to-end security association(s) offering integrity and data origin authentication" (RFC5213, section 4). I think it ought really, as otherwise this could subvert the security of PMIPv6. So wouldn't it make sense to be explicit that these new messages have the same MUST requirements as binding updates. Doing that by repeating the quoted text from 5213 would be a fine way to do that, but there may be better options. The above was a discuss ballot. The AD and an author agreed with the interpretation above that that adding a clarification might be good so I've cleared the discuss assuming they'll do that nicely. (Thanks). ***The following two options are aviable as the revision : 1) This document causes no further security problem for the signaling exchanges. 2) This document causes no further security problem for the signaling exchanges.The UPN and UPA messages in this document MUST be protected using end-to-end security association(s) offering integrity and data origin authentication as speficied in [RFC5213] and [RFC7077]. Which one do you think better, Stephen? OLD COMMENT below - It might also be worth saying in section 7 that to provision a new HNP someone has to have setup all the IPsec stuff for that. ***Does this comment be replaced the above one? Stephen. _______________________________________________ dmm mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmm
_______________________________________________ dmm mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmm
