[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Shared Locator Address Pool (SLAP) protocol proposal



Dave,

PN> However, I am also worried about potential DoS and other
PN> security issues.  To me, it looks like a bad idea of allowing
PN> all of the upper layer protocols to add or remove addresses
PN> from SLAP.  Updating (soft) address state is probably fine,
PN> but both adding and deleting addresses is potentially dangerous.

Please elaborate on your concerns.

It's mostly gut feeling right now. I have to do some analysis before I can say much more, and I don't have that time right now. Maybe reading Erik's threat draft would give some insight?

My assumption is that the apps each has at least the requisite, basic
"authentication of exchange continuity" that routing-based IP validation
provides.

Well, while that may suffice as a baseline, it may still have some issues. Like what if some applications have better security properties than others? In that case you could use an application with weaker security to confuse the SLAP state in order to launch an attack against a more secure application.

So all I can guess is that the danger you fear is the general one of
having too many participants (applications and transport add/delete
mechanisms) and that any one of them can do a lot of damage.

More or less yes. But there are probably details, and they need to be worked out.

That's why
I think it would be great to try to standardize a single control
protocol, but permit it to be used over a variety of mechanisms (layer
3.5, transport, and even apps.)

I agree that it would be great to standardize a single control protocol. However, I am not so sure whether it would be great to permit it to be carried over a variety of mechanisms.

One particular problem with security is that it is not composable,
in general.  That is, if you have a perfectly secure mechanism A,
and another perfectly secure mechanism B, putting them together
into A + B (where + is some sort of a composition operator) may
result in a system that is not secure any more.  (I am not saying
that it is not composable in this particular case.  I am merely
saying that we don't know before we've done some analysis.)

--Pekka Nikander