Francis,
I think we disagree on this issue. IMO the I-D is missing a clear
statement that a binding between the home address and IPsec SA is
required. If you don't want to add this statement, let's agree to disagree.
Regards,
- Christian
Francis Dupont wrote:
In your previous mail you wrote:
unless you bind the IPsec security association to the home address, an
attacker could send a Binding Update message with a spoofed home address
using its own IPsec SA. The correspondent node's IPsec instance would
accept that message and hand it on to the Mobile IPv6 instance. The
Mobile IPv6 instance would rely on the message being authenticated and
update the binding cache entry for the spoofed home address.
=> I agree but I can't see an issue with this: if I remove the word
"home" and all allusions to mobility your statement still applies so
as I've already explained the home address is not special and this kind of
spoofing is not specific to mobility.
You can eliminate this issue with one or two additional, clarifying
sentences in your draft.
=> IMHO it is not reasonable to forbid dynamic addressing in IPsec so
it is not reasonable to forbid dynamic or pseudo-anonymous home addresses
(pseudo-anonymous: which has no particular property attached to it).
And please note the initial IPsec establishment has to be done before
IPsec can protect the mobility signaling so without asking anything
to IPsec for this IPsec is already at least as good as a return
routability check.
To finish I've also already stated I am not against a SHOULD for a
protection in the case of statically assigned home addresses:
- it is easy to do in this case
- it improves the security
- as this protection is required in the MN-HA context and in this case
the simplest way is to encode it in the certificate it should be got
for free.
To summary if a spoofed home address is accepted it is because the IPsec
configuration was setup to accept it. The only thing we have to do
is to enforce it was not by accident.
Regards
[EMAIL PROTECTED]
_______________________________________________
Gen-art mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/gen-art
