[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: multi6-threats-00.txt vs. MIPv6 - different strength verifications?

On 5 nov 2003, at 11:18, Erik Nordmark wrote:

Yes, but a weak verification can be converted to a strong verification
at any time by invoking the strong verification mechanism (be it DNS
or CBID-based).

Why not go for the strong stuff immediately?

Because it is likely to be more expensive; for CBID schemes you'd need
a public key challenge response (signing by the peer, verification at your end) and for DNS schemes like NOID you'd need at least a reverse lookup of the new locator.

Good point. Still, I don't think a clear text cookie isn't the best tradeoff here. Doing one or two MD5 hashes over a few dozen bytes is enough to get rid of attackers who can sniff, but not block traffic.

If the new locator is from a revious unused ISP DNS cachaes might
not help and if DNSsec is used this implies verifying at least 3 (or it is 6
with delegation signer?) since there are likely to be 3 new delegations to
find the previously unused ip6.arpa entry.

I think we have to assume that DNSSEC won't be used.

Wireless networks are a good example. Many switches provide monitoring
capabilities and fibers are not that hard to sniff. So someone with
physical access can look at the traffic with relative ease. However, in
order to block selected packets the attacker needs to redirect traffic
or install equipment in the middle. I suppose that's doable on wireless
lans but not so much when tapping into existing monitoring
capabilities.

ARP/ND spoofing works well for any LAN I suspect.

But that's something that operators can fix if they care enough.

Hadn't thought about using monitoring capabailities.
Do these require physical access, or can they be exploited remotely
due to poor access control in the switches?

Hard to say. But remember that ISPs and service providers higher up the stack in very many cases house their equipment in colo facilities where it's often not too hard for someone with legitimate access (ie, who rents some rack space there too) to mess around with someone else's equipment.

If the attacker has physical access I don't know if there
is that much different between installing some inductive coupling on
a wire and installing a box on that wire.

I suppose not, but often the monitoring facilities are already in place. It's just a question of connecting a notebook to a monitoring port on a switch

Remember that we assume that security sensitive traffic secure its payload
(IPsec, TLS, etc) thus for that traffic the worst attack is a DoS. And an
attacker with physical access can accomplish a DoS by just cutting the wire.

True, but that will be detected very quickly. Monitoring may remain undetected for a long time. Maybe in quantum physics looking at something is on the same scale as manipulating it, but in networks this isn't exactly the case. :-)

My point is that trying to prevent man in the middle attacks doesn't make any sense for what we're trying to do here, but making our stuff such that someone with just sniffing and packet injection capability but who can't block the real traffic, is helpful.