[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [DNA] Issue 8: Modify Security Considerations

To: Vijay Devarapalli <vijayd@iprg.nokia.com>
Subject: Re: [DNA] Issue 8: Modify Security Considerations
From: JinHyeock Choi <jinchoe@samsung.com>
Date: Thu, 26 Aug 2004 19:08:31 +0900
Cc: Greg Daley <greg.daley@eng.monash.edu.au>, Pekka Nikander <pekka.nikander@nomadiclab.com>, dna@eng.monash.edu.au, JinHyeock Choi <jinchoe@diffeo.com>
References: <01ae01c485c1$405b63d0$ed2f024b@jinchoe><028d01c48a7a$10411380$ed2f024b@jinchoe><02a201c48a7a$e02375c0$ed2f024b@jinchoe><02a801c48a7b$c1be9640$ed2f024b@jinchoe><20ae01c48aab$2b123230$f69e93dd@syoung><20b401c48aac$600bf1a0$f69e93dd@syoung> <412D3D98.3080103@iprg.nokia.com>
Sender: owner-dna@ecselists.eng.monash.edu.au

Vijay 

Thanks for your feedback. 

> I am not sure I understood the issue. I agree that some secure
> mechanism is need to detect crossing security boundaries before
> a personal firewall is turned off. but why is this tied to SEND?
> I dont see anything in SEND for detecting crossing security
> boundaries.
> 
> it might suffice to say, in the Security Considerations section,
> that a secure mechanism is needed to detect crossing security
> boundaries before taking actions like turning off personal
> firewall and that DNA mechanisms might not be sufficient.

Our line of thoughts are like below.

1. With SEND, we can secure Router Discovery, such as Router 
    Advertisement. 
2. With secured RA messages, we can secure DNA.  
3. With secured DNA mechanisms, a host can safely adjust its 
    security based on which network link it believe it is attached to. 
4. Without secured DNA schemes, it's inadvisable to do so.  

We think that DNA schemes can be used to detect crossing security 
boundaries indirectly and SEND can be used to secure DNA, so the 
connection.  
 
It seems, however, that the phrases need clarification. How about this? 

   Because DNA schemes are based on Neighbor Discovery, its trust models
   and threats are similar to the ones presented in [9].  Nodes
   connected over wireless interfaces may be particularly susceptible to
   jamming, monitoring and packet insertion attacks.

   Use of [7] to secure Neighbor Discovery is important in achieving
   reliable detecting network attachment.  DNA schemes SHOULD
   incorporate the solutions developed in IETF SEND WG if available,
   where assessment indicates such procedures are required.

   With unsecured DNA schemes, it is inadvisable for a host to adjust
   its security based on which network it believes it is attached to.
   For example, it would be inappropriate for a host to disable its
   personal firewall based on the belief that it had connected to a home
   network.

I exchanged the second and the third part with slight modification to clarify 
the paragraphs. Kindly comment on it. 

Thanks for your kind consideration. 

Best Regards

JinHyeock

Follow-Ups:
- Re: [DNA] Issue 8: Modify Security Considerations
  - From: Vijay Devarapalli <vijayd@iprg.nokia.com>

References:
- [DNA] Issue 3: Remove Subsection 3.2 - Inadequacies in RA information
  - From: JinHyeock Choi <jinchoe@samsung.com>
- [DNA] Issue 4: Attain and retain prefixes with certainty as a new goal
  - From: JinHyeock Choi <jinchoe@samsung.com>
- [DNA] Issue 5: Manage connection to multiple links as a new goal
  - From: JinHyeock Choi <jinchoe@samsung.com>
- [DNA] Issue 6: Describe properties of L2 for routing or link change as a newgoal
  - From: JinHyeock Choi <jinchoe@samsung.com>
- [DNA] Issue 7: Clarify Goal 7 SEND/IPsec Compatability
  - From: JinHyeock Choi <jinchoe@diffeo.com>
- [DNA] Issue 8: Modify Security Considerations
  - From: JinHyeock Choi <jinchoe@diffeo.com>
- Re: [DNA] Issue 8: Modify Security Considerations
  - From: Vijay Devarapalli <vijayd@iprg.nokia.com>

Prev by Date: Re: [DNA] Issue 8: Modify Security Considerations
Next by Date: [DNA] Closing the Goals Issues
Prev by thread: Re: [DNA] Issue 8: Modify Security Considerations
Next by thread: Re: [DNA] Issue 8: Modify Security Considerations
Index(es):
- Date
- Thread