Low-Latency Handoffs in Mobile IPv4
RFC 4881

Note: This ballot was opened for revision 11 and is now closed.

(Brian Carpenter) (was Discuss) No Objection

Comment (2005-10-06)
No email
send info
Comments on -11 version from Lakshimnath Dondeti:

I found a few things (2 that I missed before and one correction that is still unclear to me).  These can be fixed during RFC Ed processes.

1&2) In the security considerations section the following appears in two places:

IKE ...  based on shared and public keys
should it be
IKE ...  based on shared [secrets] or public keys
                                                   ^^
3) in the same section, the word "shared" in -10- has now been changed to "static" in -11-

I was wondering about what that word means.  My old comment on this was:


The second paragraph of Page 48 says ....

That paragraph also says "involving shared keys."  I am wondering if that
means whether manually configured IPsec SAs or IKE/IKEv2 with  PSKs is the
minimal requirement.  Please clarify.

Perhaps it is clear to folks who are familiar with ref [1]  (RFC 3344)! 

--------------
Comments on -10 version:

Text comments from Gen-ART review by Lakshimnath Dondeti:

* Proxy Router Solicitation is abbreviated as ProxyRtSol in some places (e.g., Figure 1) and as PrRtSol (e.g., in the last paragraph of Page 14).  Please revise to be consistent.  ProxyRtAdv and PrRtAdv is another similar inconsistent abbreviation.

* In several places, there is some roundabout text about identifiers and IP addresses.  Please use the general term, identifier and followup with examples of identifiers (e.g., IP address, L2 identifier).  The text is there, but the specification starts out with a MUST on IP address and then goes on to allow other identifiers.  A revision would help clarify things.

* Section 3.4, 2nd paragraph has a sentence that says "... MUST be authenticated to prevent attacks."  Perhaps add "impersonation" before attacks.

Notes on Security Considerations section:

This section looks good in some places, but could use a few sentences elsewhere.  For instance, toward the end of the first paragraph there is a sentence that says "The absence of this security would allow ..."  A few more of those would be great, say after the second sentence of the second paragraph ("In the event that the MN does not ... it MAY drop them ").  What is the risk if the MN does not drop the packets?  It may be obvious to the editor/authors, but not to all the readers.

Why is IKE being specified as the key management protocol, and not IKEv2?  Perhaps that has to do with Mobile IPv4 history?

Please add -96 to HMAC-SHA1 as in Ref[12].

The second paragraph of Page 48 says that "all FAs involved in low latency handoff MUST support manual pre-configuration of security associations with neighboring FAs."  Please clarify that the SAs must be peer-to-peer.

That paragraph also says "involving shared keys."  I am wondering if that means whether manually configured IPsec SAs or IKE/IKEv2 with  PSKs is the minimal requirement.  Please clarify.

The third paragraph of Page 48 says "some level of L2 security is assumed."  There is a good amount of qualifying text follows that statement, but also contains sentences such as "adequate security."  Would it be fair to say that integrity and replay protection are required.  (based on the impersonation threat and also the threat of impersonation leading to resource consumption -- integrity protection alone might not be sufficient as an adversary may be able to replay old requests to cause resource consumption).

(Margaret Cullen) (was Discuss, Yes) No Objection

(Ted Hardie) (was Discuss, No Objection) No Objection

(Scott Hollenbeck) No Objection

(Russ Housley) No Objection

(David Kessens) No Objection

(Bert Wijnen) No Objection

Comment (2005-08-18 for -)
No email
send info
vitation problem:
  !! Missing citation for Informative reference:
  P051 L006:      [14] P. Calhoun, C.  Perkins, "Mobile IP Network Access Identifier

I believe that at every place where this doc speaks about an IP address,
that it actually means IPv4 address. Maybe it would be good to be explicit
in that.