[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Shared Locator Address Pool (SLAP) protocol proposal

To: Dave Crocker <dcrocker@brandenburg.com>
Subject: Re: Shared Locator Address Pool (SLAP) protocol proposal
From: Pekka Nikander <pekka.nikander@nomadiclab.com>
Date: Wed, 19 Nov 2003 18:50:36 +0100
Cc: multi6@ops.ietf.org
In-reply-to: <16878086402.20031119083035@brandenburg.com>
References: <11729160049.20031115084555@brandenburg.com> <02ef01c3abb4$e4ffd3e0$2c818182@DFNJGL21> <3FB8C386.4E526EFB@zurich.ibm.com> <3FBB5A85.3020102@nomadiclab.com> <16878086402.20031119083035@brandenburg.com>
User-agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.5) Gecko/20031007

Dave,

PN> However, I am also worried about potential DoS and other
PN> security issues.  To me, it looks like a bad idea of allowing
PN> all of the upper layer protocols to add or remove addresses
PN> from SLAP.  Updating (soft) address state is probably fine,
PN> but both adding and deleting addresses is potentially dangerous.

Please elaborate on your concerns.


It's mostly gut feeling right now.  I have to do some analysis
before I can say much more, and I don't have that time right now.
Maybe reading Erik's threat draft would give some insight?

My assumption is that the apps each has at least the requisite, basic
"authentication of exchange continuity" that routing-based IP validation
provides.


Well, while that may suffice as a baseline, it may still have
some issues.  Like what if some applications have better security
properties than others?  In that case you could use an application
with weaker security to confuse the SLAP state in order to launch
an attack against a more secure application.

So all I can guess is that the danger you fear is the general one of having too many participants (applications and transport add/delete mechanisms) and that any one of them can do a lot of damage.


More or less yes.  But there are probably details, and they
need to be worked out.

That's why
I think it would be great to try to standardize a single control
protocol, but permit it to be used over a variety of mechanisms (layer
3.5, transport, and even apps.)


I agree that it would be great to standardize a single control
protocol.  However, I am not so sure whether it would be great
to permit it to be carried over a variety of mechanisms.

One particular problem with security is that it is not composable,
in general.  That is, if you have a perfectly secure mechanism A,
and another perfectly secure mechanism B, putting them together
into A + B (where + is some sort of a composition operator) may
result in a system that is not secure any more.  (I am not saying
that it is not composable in this particular case.  I am merely
saying that we don't know before we've done some analysis.)

--Pekka Nikander

Follow-Ups:
- Re: Shared Locator Address Pool (SLAP) protocol proposal
  - From: "Spencer Dawkins" <spencer@mcsr-labs.org>

References:
- Shared Locator Address Pool (SLAP) protocol proposal
  - From: Dave Crocker <dhc@dcrocker.net>
- Re: Shared Locator Address Pool (SLAP) protocol proposal
  - From: "Spencer Dawkins" <spencer@mcsr-labs.org>
- Re: Shared Locator Address Pool (SLAP) protocol proposal
  - From: Brian E Carpenter <brc@zurich.ibm.com>
- Re: Shared Locator Address Pool (SLAP) protocol proposal
  - From: Pekka Nikander <pekka.nikander@nomadiclab.com>
- Re: Shared Locator Address Pool (SLAP) protocol proposal
  - From: Dave Crocker <dhc@dcrocker.net>

Prev by Date: Re: Shared Locator Address Pool (SLAP) protocol proposal
Next by Date: I-D ACTION:draft-nordmark-multi6-cb64-00.txt
Previous by thread: Re: Shared Locator Address Pool (SLAP) protocol proposal
Next by thread: Re: Shared Locator Address Pool (SLAP) protocol proposal
Index(es):
- Date
- Thread