Reviewer: Jürgen Schönwälder
Review result: Has Issues
Thanks for considering my comments.
I am still struggling with the fact that the constrained Join
Proxy does allow attackers to send packets to arbitrary link-local
endpoints. The new security considerations text gives this advice:
If such scenario needs to be avoided, the constrained Join Proxy MUST
encrypt the CBOR array using a locally generated symmetric key. The
Registrar is not able to examine the encrypted result, but does not
need to. The Registrar stores the encrypted header in the return
packet without modifications. The constrained Join Proxy can decrypt
the contents to route the message to the right destination.
The usage of MUST surely looks promising, but then protection
against this kind of attacks still is entirely optional ("if such
scenario needs to be avoided"). This relates to the other main
concern I had, namely that it is not particularly clear what is
required to be implemented as an interoperable baseline so that
at deployment time appropriate decisions can be taken.
--
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call
