[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Multihoming by IP Layer Address Rewriting (MILAR)
At 18:33 03/09/01, Ramakrishna Gummadi wrote:
>How do you deal with fake ICMP messages?
>
>> There is a security problem: a host may think it's communicating with host
>> with a certain IP address, while it is in fact communicating with a very
>> different host, which is not the owner of the IP address in question nor
>> reachable over it using regular routing. This breaks "security by looking
>> at the IP address", but this was never very secure to begin with anyway.
>
>Arbitrary change of addresses opens up lots of *new* "interesting"
>hijacking and DoS issues without a proper security architecture in place.
>Something along the lines of hip (host-identity payload) must be used.
RFC-1825/2401 defines a Security Architecture that covers this case
quite well (was designed to do so, oddly enough) and ESP/AH are
mechanisms that work. AH was designed to handle things like ICMP
authentication and works quite well for that. I demo'd AH authentication
of ICMP in running code for ARPA back in late August 1995. Small
vendors like Microsoft and Sun have shipping ESP/AH today
(e.g. in Win2K, Solaris8). Free software vendors (Linux, *BSD)
also have shipping ESP/AH today.
So we don't have a security architecture or a security technology
problem [1] today in this regard.
Ran
rja@inet.org
[1] Caveat: IKE is arguably broken, but there is running IKE code
these days and it will get the job above done at least until
a replacement for IKE happens...