[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Requirements [was Re: Transport level multihoming]
> The recent PKB security proposal removes some of the difficulties with
> the need for previously set up security associations.
Well, it does and it doesn't. PBK (draft-bradner-pbk-frame-00.txt)
proposes a method where you can maintain a connection to a host with
which you originally created the connection with. However, if you
attempt to associate more than one simultaneous address with the
connection endpoint, you enter the land of address "ownership" problem.
That is, Mobile IPv6 Binding Updates or other mechanisms that allow
you to create local exceptions to your standard routing information
may be used as a tool to perform man-in-the-middle, masquearade
and various DoS attacks. One attack scenario is presented in
draft-nikander-ipng-address-ownership-00.txt and another one I presented
at the SAAG meeting,
http://www.tml.hut.fi/~pnr/presentations/IETF50-SAAG-AddrOwn-Slides.pdf
> It seems to me that the discussion of transport level multihoming is missing
> a fundamental effect of having multiple addresses for the host - The choice of
> source address used by a host affects the routing of both outgoing and the
> subsequent return packets if the letter of the globally aggregatable unicast
> addressing scheme is adhered to.
We discuss this briefly in draft-nikander-mobileip-homelessv6-01.txt.
I think Richard Draves' draft-ietf-ipngwg-default-addr-select-03.txt
does a pretty good job in discussing that in general, without any
specific reference to multi-homing if I remember correctly.
> Exposing the multiple addresses to the application through the transport layer,
> in the way that SCTP does, allows the application to subvert routing policies
> which the domain may wish to have obeyed. ...
Furthermore, unless properly protected, it may allow a malicious peer to
divert traffic into an illegitimite address. Such an attack may even be
performed before there is any traffic ongoing between the hosts that are
the target of the attack (see my SAAG slides). In a limited scale, we
can easily imagine how a PKI or AAA infrastructure can be used to protect
against such attacks, but the case of a global scale solution is much harder.
Some beginnings for a maybe possible global scale solution are presented in
http://www.tml.hut.fi/~pnr/publications/draft-nikander-ipng-pbk-addresses-00.txt
That is basically an extension to PBK where the host ID part of an IPv6
address is used as an implicit crypto token, allowing a public key to
be associated with the address without any need of a PKI or AAA like infra.
Please note that this work is in very early phases (the draft haven't
even been submitted yet), and that there may be IPR issues since our
company policy forced me to file a patent application before coming public
with the ideas.
--Pekka Nikander