Re: Security requirements for identification

[Pekka Nikander <pekka.nikander@nomadiclab.com>]

Marcelo,

> > In my opinion, strongly protecting the adding mechanism is really
> > the most important point.  It may be also useful to include a
> > check whenever you start to use a locator after a long period of
> > inactivity, even if the locator is already in the pool.
> >
> > Arranging an attack where you use a given address and stop using
> > it just before your victim arrives and starts to use it seems
> > to be very hard, and probably not worth worrying about.
>
> Well, then why don't we just extend mip BCE maximum lifetime then?
> If i understand correctly, this is exaclty the type of attack that the
> maximum BCE lifetime bound prevents.

Well, the MIPv6 RO case is more complicated, since the home address
is used as the identifier, too.  In my statement above, I was merely
referring to IP addresses that are used as locators.  If you use an
address as an identifier, there are additional complications.

The biggest burden is probably that all new connections will use
an existing BCE binding.  Hence, if you have once managed to convince
a node that a given *identifier* (home address) is reachable at a
given *locator* (care-of address), you could launch attacks based on
that unless the binding is periodically checked.

Consequently, we would not need the periodic checks on the care-of
address.  However, it is much simpler to just use the base mechanism
and check both care-of and home addresses periodically than to have
a separate mechanism that only checks reachability through the home
address.

--Pekka Nikander