[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: multi6-threats-00.txt vs. MIPv6 - different strength verifications?

To: Iljitsch van Beijnum <iljitsch@muada.com>
Subject: Re: multi6-threats-00.txt vs. MIPv6 - different strength verifications?
From: Erik Nordmark <Erik.Nordmark@sun.com>
Date: Wed, 5 Nov 2003 11:18:50 +0100 (CET)
Cc: Erik Nordmark <Erik.Nordmark@sun.com>, multi6@ops.ietf.org
In-reply-to: "Your message with ID" <C4AA34A0-0ECC-11D8-94BB-00039388672E@muada.com>
Reply-to: Erik Nordmark <Erik.Nordmark@sun.com>

> > Yes, but a weak verification can be converted to a strong verification
> > at any time by invoking the strong verification mechanism (be it DNS
> > or CBID-based).
> 
> Why not go for the strong stuff immediately?

Because it is likely to be more expensive; for CBID schemes you'd need
a public key challenge response (signing by the peer, verification at your end)
and for DNS schemes like NOID you'd need at least a reverse lookup of the new
locator. If the new locator is from a revious unused ISP DNS cachaes might 
not help and if DNSsec is used this implies verifying at least 3 (or it is 6
with delegation signer?) since there are likely to be 3 new delegations to
find the previously unused ip6.arpa entry.

Hence I think it is useful to explore different weak schemes that
defers stronger verification until it is actually needed (for instance,
until the peer rehomes to different locators).

> Wireless networks are a good example. Many switches provide monitoring 
> capabilities and fibers are not that hard to sniff. So someone with 
> physical access can look at the traffic with relative ease. However, in 
> order to block selected packets the attacker needs to redirect traffic 
> or install equipment in the middle. I suppose that's doable on wireless 
> lans but not so much when tapping into existing monitoring 
> capabilities.

ARP/ND spoofing works well for any LAN I suspect.
Hadn't thought about using monitoring capabailities.
Do these require physical access, or can they be exploited remotely
due to poor access control in the switches?
If the attacker has physical access I don't know if there
is that much different between installing some inductive coupling on
a wire and installing a box on that wire.
Remember that we assume that security sensitive traffic secure its payload
(IPsec, TLS, etc) thus for that traffic the worst attack is a DoS. And an
attacker with physical access can accomplish a DoS by just cutting the wire.

Granted that there is a slight difference between cutting a wire
and selectively redirecting a single connection/host-pair communication
to a black hole; the former is much more likely to be detected and promptly
repaired.

    Erik

Follow-Ups:
- Re: multi6-threats-00.txt vs. MIPv6 - different strength verifications?
  - From: Iljitsch van Beijnum <iljitsch@muada.com>

References:
- Re: multi6-threats-00.txt vs. MIPv6 - different strength verifications?
  - From: Iljitsch van Beijnum <iljitsch@muada.com>

Prev by Date: RE: survivability, rewriting
Next by Date: RE: survivability, rewriting
Previous by thread: Re: multi6-threats-00.txt vs. MIPv6 - different strength verifications?
Next by thread: Re: multi6-threats-00.txt vs. MIPv6 - different strength verifications?
Index(es):
- Date
- Thread