[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The cost of crypto in end-host multi-homing (was Re: The stateof IPv6 multihoming development)

To: Pekka Nikander <Pekka.Nikander@nomadiclab.com>
Subject: Re: The cost of crypto in end-host multi-homing (was Re: The stateof IPv6 multihoming development)
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Wed, 30 Oct 2002 11:59:23 +0100 (CET)
Cc: <multi6@ops.ietf.org>
In-reply-to: <3DBD9CB4.50806@nomadiclab.com>

On Mon, 28 Oct 2002, Pekka Nikander wrote:

> > Why do all this checking? Just assume the host is interested in the
> > traffic until it tells you otherwise.

> Remember that maybe there is no host there.  Maybe the target is
> to flood a network.  In IPv6 it is fairly easy to select an empty
> address, in fact probably easier than to pick an existing host.

But unlike with v4, there is a good chance you'll get a host unreachable
back.

> > For TCP apps, you're pretty much
> > guaranteed to be in slow start anyway, so there wouldn't be much
> > flooding.

> In TCP the attacker can anticipate what you send and send
> you faked acks, probably even trick you to send data on
> much faster rate than what you otherwise would do.

Good point. We need something to protect against that.

> The checking just takes on round trip, and you can even
> piggypack your regular data.

Yes, that would be a good way to handle it. Do you agree that doing this
at the time the first choice address becomes unavailable makes more
sense than doing it at the time of initialization?

> > If the host at the new address doesn't want the traffic, there should be
> > a way for it to make the sender stop without relying on transport
> > mechanisms such as TCP RSTs. It would be good if the host at the new
> > address receives the IP address from which all of this was initiated so
> > an attacker can be traced easily.

> I agree with the value of sending the initial address.  However,
> we must remember that maybe there is no host in the first place,
> and at the time when the local router knows this for sure, it
> may be already too late: the router may be completely flooded
> with all those extra streams, maybe even targetted to different
> address each.

I didn't think this was a very likely attack scenario because it is so
expensive for the attacker, but now that I think about it: it would be a
viable attack because the attacker gets to bypass any filters the
attacked network may have in place. I don't really see any way around
this, though, except make this attack as expensive as possible for the
attacker.

Follow-Ups:
- Re: The cost of crypto in end-host multi-homing (was Re: The stateof IPv6 multihoming development)
  - From: Pekka Nikander <Pekka.Nikander@nomadiclab.com>

References:
- Re: The cost of crypto in end-host multi-homing (was Re: The stateof IPv6 multihoming development)
  - From: Pekka Nikander <Pekka.Nikander@nomadiclab.com>

Prev by Date: Re: status update (was Re: draft-ietf-multi6-multihoming-requirements-04.txt)
Next by Date: RE: PI/metro/geo [Re: The state of IPv6 multihoming development]
Previous by thread: Re: The cost of crypto in end-host multi-homing (was Re: The stateof IPv6 multihoming development)
Next by thread: Re: The cost of crypto in end-host multi-homing (was Re: The stateof IPv6 multihoming development)
Index(es):
- Date
- Thread