[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

comments on nordmark-multi-threats

To: multi6@ops.ietf.org
Subject: comments on nordmark-multi-threats
From: Pekka Savola <pekkas@netcore.fi>
Date: Sun, 9 Nov 2003 06:25:27 +0200 (EET)

Hi,

I made a very quick pass through the document on the plane.  The document 
is excellent, at least the parts that are there.  I didn't go through the 
analysis to see if there might be some remainder threats.  

One thing the doc could maybe be slightly clearer on is which "security
problems" the different attacks rely on (e.g., off-link TCP ACK spoofing,
TCP seq number synchronization (could be very challenging if tryly random
seq/ack numbers are used, etc.)

A couple of observations and minor nits below, nothing major.

   Similarly, if DNS can be compromised, and a change can be made to an
   advertised resource record to advertise a different IP address for a
   hostname, effectively taking over that hostname.

==> does this imply DNS threats, in addition to just hacking thezone?

   Any system that is along the path from the source to the destination
   host can be compromised and used to redirect traffic.  Systems may be
   added to the best path to accomplish this.  Further, even systems
   that are on multi-access links that do not provide security can also
   be used to redirect traffic off of the normal path.  For example, ARP
   and ND spoofing can be used to attract all traffic for the legitimate
   next hop across an Ethernet.

==> these apply to DNS the paths and links to the DNS server as well, of 
course.

   An attribute of this type of attack is that A will simply think that
   B is faulty since its flow and congestion control mechanisms don't
   seem to be working.  Detecting that the stream of ACK packets is
   generated from X and not from A might be challenging, since the rate
   of ACK packets might be relatively low.  This type of attack might  
   not be common today because it requires that X remain on the path in
   order to sustain the DoS attack, but the addition of multihoming
   redirection mechanisms might potentially remove that constraint.

==> it is not readily apparent why X would need to remain on the path to 
continue this, but I didn't think this through.  Maybe need spelling out?

fully editorial
---------------

   traced to the attacker.  An example of this is to use protocols which
   cause reflection with or without amplification [PAXSON01].
   Reflection without amplification can be accomplished by an attacker  

==> insert a new line after PAXSON ?

  this type of attack could either case redirection (so that the
 
==> s/case/cause/

   network before any reassignment.  Note that this does not require  
   explicit mechanism.  This can instead be implemented by locator reuse

==> s/require/require an/

   multihoming solution would fail our "no worse than what we have now"
   litmus test.  However, given that ingress filtering deployment is far

==> "litmus test" ?

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

Follow-Ups:
- Re: comments on nordmark-multi-threats
  - From: Erik Nordmark <Erik.Nordmark@sun.com>

Prev by Date: Re: Alternatives to source address rewriting (was RE: Preserving established communications (was RE: about draft-nordmark-multi6-noid-00)
Next by Date: Notetaker and jabber logger and scheduling
Previous by thread: MAST Review JimBo
Next by thread: Re: comments on nordmark-multi-threats
Index(es):
- Date
- Thread