Threat Analysis for TCP Extensions for Multipath Operation with Multiple Addresses
RFC 6181

[Ballot comment]
In the OPS-DIR review  Lionel Morand raised the issue that it is recommended to allow the support of multiple security mechanisms but there is nothing about potential related mechanism negotiation  issues. I suggest that this be addressed before the publication of the document, even if it is not a blocking issue.

[Ballot comment]
This document does a good job of analyzing the threats for MPTCP. Thanks you.

While fully understandable, I found the text a bit wordy, with extra phrases and clauses thrown in where they really weren't needed. This document could be much more concise, and if you are doing a new revision, you might want to consider tightening up the text. But this is purely a style issue, and the authors are free to ignore this comment if they so choose.

Some examples of things that can be tightened:
"It should be noted that yada yada yada" - this implies that somebody should sometime in the future note this, but you are noting it now, so all you need is the yada yada yada without "It should be noted that".

I recommend you check any "Note that" usages; they are almost always unnecessary.

"Similarly to the MPTCP case, the Shim6 protocol is a layer 3
      protocol so all the communications involving the target address
      are at stake, as opposed to the MPTCP case, where the impact can
      be limited to a single TCP connection."
would be much more concise as simply "The Shim6 protocol is a layer 3
      protocol so all the communications involving the target address
      are at stake; in MPTCP, the impact can
      be limited to a single TCP connection."

s/behaviour of SCTP as defined/behaviour of SCTP/

I recommend checking to see if removing some of these phrases actually changes the meaning of the sentence:
s/as such//g
s/So,//g
s/As we stated earlier,//
s/In order to do that,//
s/This means that//
s/In particular//g
s/We assume that//g
s/So, at least,//
s/In addition,//
s/the so called//
s/It should be noted that/
s/In other words,//
s/namely//
s/In this case,//
s/basically//
s/This implies that//
s/It seems that/
s/It seems reasonable to assume that//
s/This per se,/This/
s/The result is that/
s/This means that//
s/This basically means that//

and some specific places:
s/In addition, we have the target of the flooding attack, target T which has an IP address IPT./
  Target T has an IP address IPT./
s/In the first step of this attack (depicted as step 1 in the figure), the attacker A/
  The attacker A/
s/the second step of the attack (depicted as step 2 in the figure)/
  the second step of the attack/
or /step 2 of the attack/ (to align it with the figure labels)

s/The actual details of this/The details/
s/somehow more secure/more secure/
s/Similarly to the previous case,//
s/As opposed to the previous one,//
s/As we have described earlier,//

[Ballot comment]
This is an excellent document and I can warmly recommend its approval. Thank you for writing it, Marcelo.

Some small comments:

In Section 3, where the document discusses differences between MIPv6 RO and MPTCP situation I had a couple of comments. First, I'm not sure I understand what you mean with the bullet about MIPv6 relying on the original path always being available. MIPv6 certainly assumes that the path that we are using at that moment is working, and if it is not, the system will attempt to move to some other address or network attachment point. Secondly, I think you are missing one additional difference: in MIPv6 we assume that there's always a trusted third party (the home agent) that can help us with some of the security problems. In MPTCP there is no such entity. You might also be missing the difference that MPTCP intends to be able to use multiple paths simultaneously, which was not an original design goal of the MIPv6 work.

In Section 6.3, the text discusses the effects of NAT on securing the implicitly reported new address. The text fails to explain that while explicit mode would allow better protection of the reported new address, such protection would be pointless because it would protect an address that is no longer relevant on the outside of the NAT. You actually *need* to report the address as changed by the NAT. And by the way, I see nothing wrong with that... that's is how current TCP works, too.

I like the basic recommendations in Section 7. But I am unsure if the analysis in the document actually supports the advanced recommendation to have optional support for HMAC. Why would that needed? Also, should the conclusions say something about how MPTCP design should deal with sequence number spaces -- it seems that different choices here would result in different impacts.

[Ballot comment]
This is an excellent document and can warmly recommend its approval. Thank you for writing it, Marcelo.

Some small comments:

In Section 3, where the document discusses differences between MIPv6 RO and MPTCP situation I had a couple of comments. First, I'm not sure I understand what you mean with the bullet about MIPv6 relying on the original path always being available. MIPv6 certainly assumes that the path that we are using at that moment is working, and if it is not, the system will attempt to move to some other address or network attachment point. Secondly, I think you are missing one additional difference: in MIPv6 we assume that there's always a trusted third party (the home agent) that can help us with some of the security problems. In MPTCP there is no such entity. You might also be missing the difference that MPTCP intends to be able to use multiple paths simultaneously, which was not an original design goal of the MIPv6 work.

In Section 6.3, the text discusses the effects of NAT on securing the implicitly reported new address. The text fails to explain that while explicit mode would allow better protection of the reported new address, such protection would be pointless because it would protect an address that is no longer relevant on the outside of the NAT. You actually *need* to report the address as changed by the NAT. And by the way, I see nothing wrong with that... that's is how current TCP works, too.

I like the basic recommendations in Section 7. But I am unsure if the analysis in the document actually supports the advanced recommendation to have optional support for HMAC. Why would that needed? Also, should the conclusions say something about how MPTCP design should deal with sequence number spaces -- it seems that different choices here would result in different impacts.

[Ballot comment]
This is an excellent document and can warmly recommend its approval. Thank you for writing it, Marcelo.

Some small comments:

In Section 3, where the document discusses differences between MIPv6 RO and MPTCP situation I had a couple of comments. First, I'm not sure I understand what you mean with the bullet about MIPv6 relying on the original path always being available. MIPv6 certainly assumes that the path that we are using at that moment is working, and if it is not, the system will attempt to move to some other address or network attachment point. Secondly, I think you are missing one additional difference: in MIPv6 we assume that there's always a trusted third party (the home agent) that can help us with some of the security problems. In MPTCP there is no such entity. You might also be missing the difference that MPTCP intends to be able to use multiple paths simultaneously, which was not an original design goal of the MIPv6 work.

In Section 6.3, the text discusses the effects of NAT on securing the implicitly reported new address. The text fails to explain that while explicit mode would allow better protection of the reported new address, such protection would be pointless because it would protect an address that is no longer relevant on the outside of the NAT. You actually *need* to report the address as changed by the NAT. And by the way, I see nothing wrong with that... that's is how current TCP works, too.

[Ballot comment]
This is an excellent document and can warmly recommend its approval. Thank you writing it, Marcelo.

Some small comments:

In Section 3, where the document discusses differences between MIPv6 RO and MPTCP situation I had a couple of comments. First, I'm not sure I understand what you mean with the bullet about MIPv6 relying on the original path always being available. MIPv6 certainly assumes that the path that we are using at that moment is working, and if it is not, the system will attempt to move to some other address or network attachment point. Secondly, I think you are missing one additional difference: in MIPv6 we assume that there's always a trusted third party (the home agent) that can help us with some of the security problems. In MPTCP there is no such entity. You might also be missing the difference that MPTCP intends to be able to use multiple paths simultaneously, which was not an original design goal of the MIPv6 work.

[Ballot comment]
In Section 3, where the document discusses differences between MIPv6 RO and MPTCP situation I had a couple of comments. First, I'm not sure I understand what you mean with the bullet about MIPv6 relying on the original path always being available. MIPv6 certainly assumes that the path that we are using at that moment is working, and if it is not, the system will attempt to move to some other address or network attachment point. Secondly, I think you are missing one additional difference: in MIPv6 we assume that there's always a trusted third party (the home agent) that can help us with some of the security problems. In MPTCP there is no such entity. You might also be missing the difference that MPTCP intends to be able to use multiple paths simultaneously, which was not an original design goal of the MIPv6 work.

[Ballot comment]
In Section 1:

  This
  note includes a threat analysis for MPTCP.  It should be noted that
  there are there may other ways to provide multiple paths for a TCP

This doesn't read well

  connection other than the usage of multiple addresses.  The threat
  analysis performed in this document is limited to the specific case
  of using multiple addresses per endpoint.

In Section 3:

  o  Similarly to the MPTCP case,

Did you mean "MIPv6 RO" here?

      the Shim6 protocol is a layer 3
      protocol so all the communications involving the target address
      are at stake, as opposed to the MPTCP case, where the impact can
      be limited to a single TCP connection.

State changed to In Last Call from Last Call Requested.

The following Last Call Announcement was sent out:

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
CC: <multipathtcp@ietf.org>
Reply-To: ietf@ietf.org
Subject: Last Call: <draft-ietf-mptcp-threat-06.txt> (Threat Analysis for Multi-addressed/Multi-path TCP) to Informational RFC


The IESG has received a request from the Multipath TCP WG (mptcp) to
consider the following document:
- 'Threat Analysis for Multi-addressed/Multi-path TCP'
  <draft-ietf-mptcp-threat-06.txt> as an Informational RFC

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2011-1-11. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

The file can be obtained via
http://datatracker.ietf.org/doc/draft-ietf-mptcp-threat/

IESG discussion can be tracked via
http://datatracker.ietf.org/doc/draft-ietf-mptcp-threat/

  (1.a) Who is the Document Shepherd for this document? Has the
        Document Shepherd personally reviewed this version of the
        document and, in particular, does he or she believe this
        version is ready for forwarding to the IESG for publication?

Yoshifumi Nishida is the document shepherd. I have personally reviewed the document
and believe it is ready for publication.

  (1.b) Has the document had adequate review both from key WG members
        and from key non-WG members? Does the Document Shepherd have
        any concerns about the depth or breadth of the reviews that
        have been performed? 

The document has been reviewed by both key WG members and Key non-WG members.
There is no concern about the reviews.

  (1.c) Does the Document Shepherd have concerns that the document
        needs more review from a particular or broader perspective,
        e.g., security, operational complexity, someone familiar with
        AAA, internationalization or XML?
None.

  (1.d) Does the Document Shepherd have any specific concerns or
        issues with this document that the Responsible Area Director
        and/or the IESG should be aware of? For example, perhaps he
        or she is uncomfortable with certain parts of the document, or
        has concerns whether there really is a need for it. In any
        event, if the WG has discussed those issues and has indicated
        that it still wishes to advance the document, detail those
        concerns here. Has an IPR disclosure related to this document
        been filed? If so, please include a reference to the
        disclosure and summarize the WG discussion and conclusion on
        this issue.
None.

  (1.e) How solid is the WG consensus behind this document? Does it
        represent the strong concurrence of a few individuals, with
        others being silent, or does the WG as a whole understand and
        agree with it? 

There is strong consensus on this document.

  (1.f) Has anyone threatened an appeal or otherwise indicated extreme
        discontent? If so, please summarise the areas of conflict in
        separate email messages to the Responsible Area Director. (It
        should be in a separate email because this questionnaire is
        entered into the ID Tracker.)
None.

  (1.g) Has the Document Shepherd personally verified that the
        document satisfies all ID nits? (See the Internet-Drafts Checklist
        and http://tools.ietf.org/tools/idnits/). Boilerplate checks are
        not enough; this check needs to be thorough. Has the document
        met all formal review criteria it needs to, such as the MIB
        Doctor, media type and URI type reviews?

This document is verified with idnits 2.12.05.

  (1.h) Has the document split its references into normative and
        informative? Are there normative references to documents that
        are not ready for advancement or are otherwise in an unclear
        state? If such normative references exist, what is the
        strategy for their completion? Are there normative references
        that are downward references, as described in [RFC3967]? If
        so, list these downward references to support the Area
        Director in the Last Call procedure for them [RFC3967].

The document splits the references. There is no downward reference
in the normative reference.

  (1.i) Has the Document Shepherd verified that the document IANA
        consideration section exists and is consistent with the body
        of the document? If the document specifies protocol
        extensions, are reservations requested in appropriate IANA
        registries? Are the IANA registries clearly identified? If
        the document creates a new registry, does it define the
        proposed initial contents of the registry and an allocation
        procedure for future registrations? Does it suggest a
        reasonable name for the new registry? See [RFC5226]. If the
        document describes an Expert Review process has Shepherd
        conferred with the Responsible Area Director so that the IESG
        can appoint the needed Expert during the IESG Evaluation?

Yes. IANA consideration section exists in the document, but no action is required.

  (1.j) Has the Document Shepherd verified that sections of the
        document that are written in a formal language, such as XML
        code, BNF rules, MIB definitions, etc., validate correctly in
        an automated checker?

The document contains no formal language.

  (1.k) The IESG approval announcement includes a Document
        Announcement Write-Up. Please provide such a Document
        Announcement Write-Up? Recent examples can be found in the
        "Action" announcements for approved documents. The approval
        announcement contains the following sections:

    Technical Summary
        Relevant content can frequently be found in the abstract
        and/or introduction of the document. If not, this may be
        an indication that there are deficiencies in the abstract
        or introduction.

This document describes the threat analysis for Multi-path TCP which allows
an endpoint to use multiple IP addresses to exchange data. The goal of this
document is to provide the information of possible threats in Multi-path TCP
and recommendable solutions to make MPTCP as secure as the current TCP.
The information on this document is important for the basic design of MPTCP protocol.
Additional strong secure mechanisms are out-of-scope of this document and will
be addressed by other documents.

    Working Group Summary
        Was there anything in WG process that is worth noting? For
        example, was there controversy about particular points or
        were there decisions where the consensus was particularly
        rough?

This draft has been discussed in all IETF meetings since the creation of the WG.
There is a strong consensus in the WG for publication as an informational RFC.

    Document Quality
        Are there existing implementations of the protocol? Have a
        significant number of vendors indicated their plan to
        implement the specification? Are there any reviewers that
        merit special mention as having done a thorough review,
        e.g., one that resulted in important changes or a
        conclusion that the document had no substantive issues? If
        there was a MIB Doctor, Media Type or other expert review,
        what was its course (briefly)? In the case of a Media Type
        review, on what date was the request posted?

This document was reviewed by various people and has been through WGLC successfully.
The MPTCP protocol has been designed based on the recommendations in this document.

    Personnel

Yoshifumi Nishida is the Document Shepherd for this document.
The Responsible Area Director is Lars Eggert.