[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security requirements for identification



Marcelo,

In my opinion, strongly protecting the adding mechanism is really
the most important point.  It may be also useful to include a
check whenever you start to use a locator after a long period of
inactivity, even if the locator is already in the pool.

Arranging an attack where you use a given address and stop using
it just before your victim arrives and starts to use it seems
to be very hard, and probably not worth worrying about.

Well, then why don't we just extend mip BCE maximum lifetime then? If i understand correctly, this is exaclty the type of attack that the maximum BCE lifetime bound prevents.

Well, the MIPv6 RO case is more complicated, since the home address is used as the identifier, too. In my statement above, I was merely referring to IP addresses that are used as locators. If you use an address as an identifier, there are additional complications.

The biggest burden is probably that all new connections will use
an existing BCE binding.  Hence, if you have once managed to convince
a node that a given *identifier* (home address) is reachable at a
given *locator* (care-of address), you could launch attacks based on
that unless the binding is periodically checked.

Consequently, we would not need the periodic checks on the care-of
address.  However, it is much simpler to just use the base mechanism
and check both care-of and home addresses periodically than to have
a separate mechanism that only checks reachability through the home
address.

--Pekka Nikander