Looks good to me. Please submit a new version.
Jari
Alper Yegin wrote:
I do not believe the security considerations of RFC 5191 are
sufficient
here. In 5191 the assumption was that you are in a local network. The
threats when opening up PAAs to communication from the Internet are
very
different. Of course, we can hope that the mitigating mechanisms are
largely the same. But you really need to highlight the security
differences, and explain how PANA deals (or doesn't deal) with the
issues.
I agree that highlighting the security difference between
RFC 5191 and this draft is missing, and we will highlight it.
How about this:
6. Security Considerations
This specification is based on the PANA protocol and it exhibits the same
security properties, except for one important difference: Pre-authenticating
PaCs are not physically connected to an access network associated with the
PAA, but they are connected to some other network somewhere else on the
Internet. This distinction can create greater DoS vulnerability for systems
using PANA pre-authentication if appropriate measures are not taken. An
unprotected PAA can be forced to create state by an attacker PaC which
merely sends PCI messages.
It is recommended that the authorized PaCs are limited to well-known IP
networks for a given PAA. A white-list of IP subnets can be implemented
either on the firewall protecting the perimeter around the PAA, or on the
PAA itself. That way not every host on the Internet can launch a DoS attack
on the PAA. This prevention measure SHOULD be used whenever it can be
practically applied to a given deployment.
Furthermore, RFC 5191 describes how PAA can stay stateless while responding
to incoming PCIs. PAAs using pre-authentication SHOULD be following those
guidelines (see RFC 5191 Section 4.1).
Alper
_______________________________________________
Pana mailing list
Pana@ietf.org
https://www.ietf.org/mailman/listinfo/pana
