Re: Fwd: Minutes / Notes

[Pekka Nikander <pekka.nikander@nomadiclab.com>]

Masataka,

> It should also be noted that binding between locators and identifiers
> in single DNS reply packets have just enough security.
No, it doesn't, see below.

> > Strongly disagree.  See the flooding attacks in
...
> > but you can fairly easily find out variants that do.
> Wrong.
>
> The variant (or a simple case) is an issue to be addressed by
> return routability and/or DNS reverse/forward mapping just as
> current IPv4 or 6.
Please get your facts right.

1. I create the following DNS records for myself
   (using A here for AAAA just to make the point...)

   pnr.iki.fi.         IN IDENTITY XXX
   pnr.iki.fi.         IN A        131.112.32.132
   pnr.iki.fi.         IN A         81.17.193.194

   [For those who don't want to check,
    81.17.193.194 is pnr.iki.fi,
    131.112.32.132 is necom830.hpcl.titech.ac.jp]

2. I order a large number of streams, all
   associated with XXX, directed to 81.17.193.194
   These can be TCP or UDP streams...

3. I start sending acknowledgements with source
   address spoofed to 131.112.32.132

4. The hosts shipping the streams think that my
   link to 81.17.193.194 has just crashed, and
   start shipping the packets to 131.112.32.132

The rest should be clear.  Yes, you can defeat
this particular scenario by saying that in IPv6
ingress filtering will be universally deployed,
but there are other, more complex ones where
ingress filtering does not necessarily help.

--Pekka Nikander