Peter Tattam wrote:
The fix is simple, but needed: Either a) during the initial negotiation the hosts check the reachability of the secondary addresses, and make sure, through some simple and cheap crypto, that it is the same host answering at all of the given addresses, or b) once the primary address becomes unreachable, the hosts check, using some simple and cheap crypto, that it is the same host answering at the secondary address, *before* sending any larger amounts of data to that secondary address.How about a variation on both of these... c) only the primary address remains in an established state. Secondary addresses remain in a syn-received state until required to be used in which case the syn-ack and ack packets have to also be sent on the secondary addresses using the same nonce. If it doesn't arrive on the same host, the flood storm will be immediately quenched. (the decision to send a RST might be a policy decision on the host).
I think that approach could be developed as well. However,
maybe you should pay attention to the possibility of faked
acks. That is, if Alice is the attacker, she knows the
nonce. Thus, she might be able to anticipate the forthcoming
syn-ack containing the nonce, and be able to ack that even
if she doesn't see the syn-ack. Thus, we must combine
a) the nonce used on the primary connection, and
b) a fresh nonce generated for the syn-ack on the secondary
address.
If you hash these together, you, again, have a solution very
similar to that of Mobile IPv6.
--Pekka