[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PI/metro/geo [Re: The state of IPv6 multihoming development]

To: Iljitsch van Beijnum <iljitsch@muada.com>
Subject: Re: PI/metro/geo [Re: The state of IPv6 multihoming development]
From: RJ Atkinson <rja@extremenetworks.com>
Date: Tue, 5 Nov 2002 12:09:39 -0500
Cc: <multi6@ops.ietf.org>
In-reply-to: <20021105164145.G50741-100000@sequoia.muada.com>

On Tuesday, Nov 5, 2002, at 10:54 America/Montreal, Iljitsch van Beijnum wrote:

Forging IP addresses is easy in one direction. But 1. receiving the
packets that are sent back and 2. shutting up the real destination
aren't as easy, but those are also necessary to successfully engage in
non-trivial communication.

TCP connection hijacking relies on this ability to perform a man-in-the-middle
attack. It is a long-standing threat and it isn't that hard to engage in.
See papers by Bellovin and others dating back to maybe 1988 for more.

but no one does because DNSsec is not deployed (and there are questions
of how deployable it is).
If you use SSL there is no need for the DNS replies to be 100% reliable
anyway as forging DNS information just becomes a very elaborate DoS
attack.

SSL is not a general solution.  Consider UDP-based applications or
routing protocols such as OSPF -- neither of which is helped one iota
by SSL.

Ran

Follow-Ups:
- Re: PI/metro/geo [Re: The state of IPv6 multihoming development]
  - From: Iljitsch van Beijnum <iljitsch@muada.com>

References:
- Re: PI/metro/geo [Re: The state of IPv6 multihoming development]
  - From: Iljitsch van Beijnum <iljitsch@muada.com>

Prev by Date: Re: Transport multihoming
Next by Date: Re: Transport multihoming
Previous by thread: Re: PI/metro/geo [Re: The state of IPv6 multihoming development]
Next by thread: Re: PI/metro/geo [Re: The state of IPv6 multihoming development]
Index(es):
- Date
- Thread