Hello,
Looking at the list archive, I see no comments on these drafts, published
October 17th.
Nor do I find any traces of discussions on IETF-82.
However, from a security point of view, I do have a remark.
In both drafts, the "Security Considerations" state :
(quoting extracts)
... "recommends a liberal setting of firewall rules" ...
... "some malicious traffic may be permitted" ...
... "allow the initiation of Denial of Service attacks against Mobile IPv6
capable nodes" ...
Is this acceptable ?
Being concerned with security, I'd say that these statements as "Security
Considerations"
might lead to the conclusion that these mobility extensions cannot be
used, in practice ?!
We hear that mobile networks might be the first to be IPv6 only (if there
aren't already such networks around)
--> IPv6 only in mobile nets : the target for Mobility Extensions
We see that more and more banks offer clients for smartphones for Internet
banking
--> the "correspondent node" might very well be in some bank's DMZ
??? if they, bank security admins, will accept to setup security devices
in such a way that "firewall rules are liberal"
and "potentially allow that DOS attacks are started" ???
It is my impression that, to put mobility information so "deep" in the
stack
- as "extension header" with IPPROTO_NONE in the next header field -
implies that security infrastructure will need quite some CPU resources
to work its way through them.
Wouldn't it have been wiser to assign a (UDP ?) portnumber to the Mobility
"application" ?
Kind regards,
Marc Lampo
Security Officer
EURid
Woluwelaan 150
1831 Diegem - Belgium
[email protected]
http://www.eurid.eu
_______________________________________________
MEXT mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/mext
