Re: comments from Steve Bellovin on draft-ietf-ipv6-scoping-arch-01.txt

Tue, 17 Aug 2004 02:33:40 -0700 

>>>>> On Mon, 16 Aug 2004 11:20:53 +0200, 
>>>>> Francis Dupont <[EMAIL PROTECTED]> said:

>  In your previous mail you wrote:
>    Please let me check...are you saying something like this?
   
>    The proposed text says:
   
>      unqualified IP addresses cannot safely be used for IKE negotiation.
   
> => unqualified is not accurate enough: the idea is about scoped addresses
> without scope IDs. And the issue is not only for IKE, it is for any
> similar protocol not using scope ID (not clothed address).

>    but, for example, we should (safely) be able to perform IKE
>    negotiation for an SA with link-local addresses if the IKE packets are
>    sent from/to the link-local addresses (since then the appropriate zone
>    can be determined from the zone of the IP packets).
   
> => the example is correct but IMHO an example where the negociation is
> not safe (IKE runs over global addresses with traffic selectors using
> bare link-local addresses) is better.

So, if I understand you correctly, your points are

- use "scoped addresses without scope IDs" instead of "unqualified
  address"
- make sure that the issue of IKE is just one example (I think the
  original proposed text was clear on this though)

Then how about the following change?

Proposed resolution (old)

   The ambiguity of limited scope addresses has security implications.
   In particular, unqualified source IP addresses regarding their scope
   cannot safely be used in security contexts such as access control
   lists or key negotiations for IP security.

Proposed resolution (new)

   A limited scoped address without its zone identifier value has
   security implications, and cannot be used for some security
   contexts.  For example, a link-local address cannot be used as a
   part of a security association for Internet Key Exchange (IKE) when
   the IKE packets are carried over global addresses.  Also, a
   link-local address without its zone identifier cannot be used in
   access control lists.

                                        JINMEI, Tatuya
                                        Communication Platform Lab.
                                        Corporate R&D Center, Toshiba Corp.
                                        [EMAIL PROTECTED]

--------------------------------------------------------------------
IETF IPv6 working group mailing list
[EMAIL PROTECTED]
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------

Reply via email to