Re: BALTS: Better At Least Than Singlehomed

[Iljitsch van Beijnum <iljitsch@muada.com>]

First, thanks to all for replying so quickly.

On Mon, 11 Feb 2002, Daniel Hagerty wrote:

>  > At the destination address, the packets are de-encapsulated and processed
>  > like regularly received packets.

>     Your proposal is missing a "security" analysis.  If you spend a
> few moments on that, you're going to note some "issues" with this
> approach.

If a system de-encapsulates tunnelled packets without prior tunnel
configuration, this could be used by attackers to bypass firewalls. This
can be remedied by either:


1. Disallow the encapsulation protocol, so tunnelled packets can't enter
   (or leave) the system,

2. De-encapsulate incoming packets first, then apply filters / first apply
   filters and then perform the multihoming processing for outgoing
   packets, or

3. Look inside the encapsulating packet and apply filter rules to the
   encapsulated packet.

Discovery of the backup address through the DNS wouldn't be as secure as
it could be, but since single homed communication depends on the DNS in
the first place, I don't see this as a fatal flaw.

A good later addition would be a mechanism for hosts to determine the
reachability status and other information (such as backup addresses)
dynamically and in a secure way.

Did you have any other issues in mind?

Iljitsch van Beijnum