[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fwd: Minutes / Notes

To: Pekka Nikander <pekka.nikander@nomadiclab.com>
Subject: Re: Fwd: Minutes / Notes
From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Date: Fri, 25 Jul 2003 01:10:07 +0859 ()
Cc: multi6@ops.ietf.org
In-reply-to: <3F1FD7EE.2070005@nomadiclab.com> from Pekka Nikander at "Jul 24,2003 03:58:22 pm"

Pekka Nikander;

> > It should also be noted that binding between locators and identifiers
> > in single DNS reply packets have just enough security.
> 
> No, it doesn't, see below.

Yes, it does.

> > The variant (or a simple case) is an issue to be addressed by
> > return routability and/or DNS reverse/forward mapping just as
> > current IPv4 or 6.
> 
> Please get your facts right.
> 
> 1. I create the following DNS records for myself
>     (using A here for AAAA just to make the point...)
> 
>     pnr.iki.fi.         IN IDENTITY XXX
>     pnr.iki.fi.         IN A        131.112.32.132
>     pnr.iki.fi.         IN A         81.17.193.194
> 
>     [For those who don't want to check,
>      81.17.193.194 is pnr.iki.fi,
>      131.112.32.132 is necom830.hpcl.titech.ac.jp]
> 
> 2. I order a large number of streams, all
>     associated with XXX, directed to 81.17.193.194
>     These can be TCP or UDP streams...
> 
> 3. I start sending acknowledgements with source
>     address spoofed to 131.112.32.132
> 
> 4. The hosts shipping the streams think that my
>     link to 81.17.193.194 has just crashed, and
>     start shipping the packets to 131.112.32.132
> 
> The rest should be clear.

Ignoring the mistake that using source address of 131.112.32.132
does not make its peer that 81.17.193.194 has crashed...

Yes, lacking proper acknowledgements from 131.112.32.132, the
peer will terminate the stream.

That is, you can't send proper acknowledgements, unless you can
receive packets to 131.112.32.132, which is the return routability.

It should also be noted that there is no amplificaiton here that
it is no worse than ICMP echo requests with spoofed source addresses.

> Yes, you can defeat
> this particular scenario by saying that in IPv6
> ingress filtering will be universally deployed,
> but there are other, more complex ones where
> ingress filtering does not necessarily help.

Yes, similar attack is, for example, possible with

    pnr.iki.fi.         IN MX        10 pnr.iki.fi,
    pnr.iki.fi.         IN MX        20 necom830.hpcl.titech.ac.jp
    pnr.iki.fi.         IN A         81.17.193.194
    necom830.hpcl.titech.ac.jp IN A        131.112.32.132

and sending a lot of erroneous mails from pnr.iki.fi to
random recipients.

So?

						Masataka Ohta

Follow-Ups:
- Re: Fwd: Minutes / Notes
  - From: Pekka Nikander <pekka.nikander@nomadiclab.com>

References:
- Re: Fwd: Minutes / Notes
  - From: Pekka Nikander <pekka.nikander@nomadiclab.com>

Prev by Date: RE: Reasonable to use crypto in all communications? (Re: Fwd: Minutes/Notes)
Next by Date: Re: Reasonable to use crypto in all communications? (Re: Fwd: Minutes/ Notes)
Previous by thread: Re: Fwd: Minutes / Notes
Next by thread: Re: Fwd: Minutes / Notes
Index(es):
- Date
- Thread