RE: Fwd: Minutes / Notes

["marcelo bagnulo" <marcelo@it.uc3m.es>]

Hi Masataka,

What about time shifting attacks?
I mean you can solve it with RR, but this implies periodical exchanges such
as MIPv6.
I do agree that DNS packet excahnge are susceptible to this kind of attacks,
but currently you have the option of using directly the IP address
preventing such attacks. However, if you build an insecure id/locator
binding, you cannot prevent them, so i guess we do not want to do this
Besides there are flooding attacks, as mentioned in Pekka´s draft.

IMHO we should really consider this draft as a valuable input to the design
of the solution, since it describes many issues that have to be considered.
Underestimating these issues will only delay the solution.

Regards, marcelo

> -----Mensaje original-----
> De: Masataka Ohta [mailto:mohta@necom830.hpcl.titech.ac.jp]
> Enviado el: jueves, 24 de julio de 2003 6:38
> Para: Pekka Nikander
> CC: marcelo bagnulo; J. Noel Chiappa; multi6@ops.ietf.org
> Asunto: Re: Fwd: Minutes / Notes
>
>
> Pekka;
>
> > > Binding between locators and identifiers in single packets have
> > > just enough security.
>
> It should also be noted that binding between locators and identifiers
> in single DNS reply packets have just enough security.
>
> > Strongly disagree.  See the flooding attacks in
> >
> http://www.ietf.org/internet-drafts/draft-nikander-mobileip-v6-ro-
sec-01.txt
>
> They do not, as such, directly apply to multi-homing,

Notification of locator changes, of course, needs its own
security, which does not apply to multi-homing issue here,
not even indirectly.

> but you can fairly easily find out variants that do.

Wrong.

The variant (or a simple case) is an issue to be addressed by
return routability and/or DNS reverse/forward mapping just as
current IPv4 or 6.

							Masataka Ohta