Re: PI/metro/geo [Re: The state of IPv6 multihoming development]

[Iljitsch van Beijnum <iljitsch@muada.com>]

On Tue, 5 Nov 2002, RJ Atkinson wrote:

> > Forging IP addresses is easy in one direction. But 1. receiving the
> > packets that are sent back and 2. shutting up the real destination
> > aren't as easy, but those are also necessary to successfully engage in
> > non-trivial communication.

> TCP connection hijacking relies on this ability to perform a man-in-the-middle
> attack.  It is a long-standing threat and it isn't that hard to engage in.

This is like saying "locks don't provide much security if your opponent
has a copy of the key". My point is that becoming a man in the middle is
not an easy thing to do in general.

> > If you use SSL there is no need for the DNS replies to be 100% reliable
> > anyway as forging DNS information just becomes a very elaborate DoS
> > attack.

> SSL is not a general solution.  Consider UDP-based applications or
> routing protocols such as OSPF -- neither of which is helped one iota
> by SSL.

True. OSPF isn't helped an iota by DNSSEC either, though.

It annoys me that "security people" are quick to scream everything is
insecure while in reality many of the attacks they claim are possible
are very hard to carry out. This is very counterproductive as many
people conclude that everything is always insecure so why bother trying
to do anything about it.