[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: security requirement for multi6



Hi, marcelo;

Without DNS, a cookie and a set of all the locators of a
host should be exchanged with the peer as 3 way handshake
at the beginning of a communication. The cookie is to prevent
DoS with source address spoofing. The handshaking may be
performed as a special protocol or piggybacked on an existing
protocol. Especially, the handshaking may be piggybacked on
initial 3 way handshaking of TCP with sequence numbers as cookies.

Could you expand a little bit how the mechanism would be? I mean how do you
deal with threats detailed in section 4.3.  Third Party Denial-of-Service
Attacks of draft-nordmark-multi6-threats-00.txt.
I think that you meant using a cookie, but i think that you will need to
exchange the cookie using all of the locators of the set, right?

No.


I mean it is not enough to exchange cookie through a single locator, you
need to do it through all locators.

Only thing we can do without DNS is to assure that the identity stays same. In addition, it is silently assumed that a host initiating a connection knows a locator of its peer but not all the set of locators (otherwise, just use the set). It is also assumed that peer initially knows nothing about the initiating host.

So, a cookie is used by the initiating host to securely get a set
of locators of its peer using the initial locator of the peer.

Another cookie is used by the peer to securely get a set of
locators of the initiating host using the locator initially
used by the initiating host.


As the entire process is light weighted (unless secure DNS is
used, which is one of a reason why secure DNS is impractical),
further attempt of DoS prevention is unreasonable only
to increases the chance of DoS.

The remaining attack AFAICS, is how do you prevent connection hijack from an
attacker that intercept the initial three way handshake and then moves away.
Note that currenlty an attacker can only hijack a connection as long as he
stays in the path intercepting packets,

Such a attack will be meaningful as a faked peer (server) of a host (client) initiating a connection.

However, prevention of connection hijack against a temporary MITM
is not a requirement, at all.

so if you allow this type of attacks
you are introducing a new vulnerability.

No, it is not new.


As I wrote to Erik, with DNS, if MITM intercepts initial DNS exchange
to redirect a connection to his host elsewhere, the connection is
hijacked by a host not currently on the path.

That is, prevention of connection hijack against a temporary MITM
is impossible without expensive security mechanism and is not a
requirement here.

Masataka Ohta

PS

Considering that it is not realistic to type raw IPv6 addresses,
it may be reasonable to assume that addresses are obtained from
DNS or some electric media, in either of which case, the entire
set of locators can be stored that there is nothing to worry
about.