Hi All,
As part of asking the Security Directorate to review draft-ohba-pana-
relay-02.txt, I reviewed the Security Considerations section and tried
to determine how/if this relay changes the security model for PANA.
As I understand it, the original PANA protocol relied on return
routability... We didn't worry about address spoofing, because the
credentials were returned to the address they were meant for, meaning
that only an on-link (or on path? -- but we didn't allow a path
originally) attacker could spoof a client address and see the
response. With introduction of relay code on the PAA, any node can
pretend to be a PRE
and get credentials for any other node.
This isn't mentioned in the Security considerations section, but it is
potentially significant. So, there might be a need for the PAA to
authorize the PRE before responding to messages from it. If there is
some reason why you don't believe the PAA needs to authorize the PRE,
you would (at the very least) need to explain that in the Security
Considerations section.
Thanks,
Margaret
_______________________________________________
Pana mailing list
Pana@ietf.org
https://www.ietf.org/mailman/listinfo/pana
