[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Shared Locator Address Pool (SLAP) protocol proposal

To: Spencer Dawkins <spencer@mcsr-labs.org>
Subject: Re: Shared Locator Address Pool (SLAP) protocol proposal
From: Brian E Carpenter <brc@zurich.ibm.com>
Date: Thu, 20 Nov 2003 14:00:08 +0100
Cc: multi6@ops.ietf.org
Organization: IBM
References: <11729160049.20031115084555@brandenburg.com> <02ef01c3abb4$e4ffd3e0$2c818182@DFNJGL21> <3FB8C386.4E526EFB@zurich.ibm.com> <3FBB5A85.3020102@nomadiclab.com> <16878086402.20031119083035@brandenburg.com> <3FBBAD6C.5040106@nomadiclab.com> <07d901c3af13$87ac20b0$2c818182@DFNJGL21>

Our guideline here is that the multi6 solution must not introduce any new
security vulnerabilities that we don't have today. And Pekka is certainly
correct - anytime you add shared state, you need to protect it against bad
people. But we can't assume that any key material is available to multihoming
participants, unless we also define how they acquire it, since multihoming 
participants likely have no pre-existing relationship.

   Brian

Spencer Dawkins wrote:
> 
> Hi, Pekka and Dave,
> 
> I didn't mean to bring up a subject quite this dark. My concern was
> about errors in one transport or one application hosing the multi6
> capability for everyone, and about how difficult it might be to debug
> this (visualize kernel debugging in many implementations). Pekka's gut
> feeling about one transport or one application being manipulated into
> hosing the multi6 capability for everyone is the next step, when one
> thinks about it (thanks for thinking about it).
> 
> Put another way, I was talking about software engineering, not about
> protocol design. Pekka brought the concept back into protocol design
> territory.
> 
> If we're saying that, in the absence of secure discovery mechanisms,
> anybody can respond to ARP requests and steal traffic, that's true,
> but maybe a little easier for the average snifferholic to debug than
> what Pekka and I are noodling about - a blown pointer would be
> sufficient to cause the effect I'm talking about.
> 
> Spencer
> 
> ----- Original Message -----
> From: "Pekka Nikander" <pekka.nikander@nomadiclab.com>
> To: "Dave Crocker" <dcrocker@brandenburg.com>
> Cc: <multi6@ops.ietf.org>
> Sent: Wednesday, November 19, 2003 11:50 AM
> Subject: Re: Shared Locator Address Pool (SLAP) protocol proposal
> 
> > Dave,
> >
> > > PN> However, I am also worried about potential DoS and other
> > > PN> security issues.  To me, it looks like a bad idea of allowing
> > > PN> all of the upper layer protocols to add or remove addresses
> > > PN> from SLAP.  Updating (soft) address state is probably fine,
> > > PN> but both adding and deleting addresses is potentially
> dangerous.
> > >
> > > Please elaborate on your concerns.
> >
> > It's mostly gut feeling right now.  I have to do some analysis
> > before I can say much more, and I don't have that time right now.
> > Maybe reading Erik's threat draft would give some insight?
> >
> > > My assumption is that the apps each has at least the requisite,
> basic
> > > "authentication of exchange continuity" that routing-based IP
> validation
> > > provides.
> >
> > Well, while that may suffice as a baseline, it may still have
> > some issues.  Like what if some applications have better security
> > properties than others?  In that case you could use an application
> > with weaker security to confuse the SLAP state in order to launch
> > an attack against a more secure application.
> >
> > > So all I can guess is that the danger you fear is the general one
> of
> > > having too many participants (applications and transport
> add/delete
> > > mechanisms) and that any one of them can do a lot of damage.
> >
> > More or less yes.  But there are probably details, and they
> > need to be worked out.
> >
> > > That's why
> > > I think it would be great to try to standardize a single control
> > > protocol, but permit it to be used over a variety of mechanisms
> (layer
> > > 3.5, transport, and even apps.)
> >
> > I agree that it would be great to standardize a single control
> > protocol.  However, I am not so sure whether it would be great
> > to permit it to be carried over a variety of mechanisms.
> >
> > One particular problem with security is that it is not composable,
> > in general.  That is, if you have a perfectly secure mechanism A,
> > and another perfectly secure mechanism B, putting them together
> > into A + B (where + is some sort of a composition operator) may
> > result in a system that is not secure any more.  (I am not saying
> > that it is not composable in this particular case.  I am merely
> > saying that we don't know before we've done some analysis.)
> >
> > --Pekka Nikander

Follow-Ups:
- Re: Shared Locator Address Pool (SLAP) protocol proposal
  - From: "Spencer Dawkins" <spencer@mcsr-labs.org>

References:
- Shared Locator Address Pool (SLAP) protocol proposal
  - From: Dave Crocker <dhc@dcrocker.net>
- Re: Shared Locator Address Pool (SLAP) protocol proposal
  - From: "Spencer Dawkins" <spencer@mcsr-labs.org>
- Re: Shared Locator Address Pool (SLAP) protocol proposal
  - From: Brian E Carpenter <brc@zurich.ibm.com>
- Re: Shared Locator Address Pool (SLAP) protocol proposal
  - From: Pekka Nikander <pekka.nikander@nomadiclab.com>
- Re: Shared Locator Address Pool (SLAP) protocol proposal
  - From: Dave Crocker <dhc@dcrocker.net>
- Re: Shared Locator Address Pool (SLAP) protocol proposal
  - From: Pekka Nikander <pekka.nikander@nomadiclab.com>
- Re: Shared Locator Address Pool (SLAP) protocol proposal
  - From: "Spencer Dawkins" <spencer@mcsr-labs.org>

Prev by Date: Re: Some Comments on ID/Loc Separation Proposals
Next by Date: Re: Shared Locator Address Pool (SLAP) protocol proposal
Previous by thread: Re: Shared Locator Address Pool (SLAP) protocol proposal
Next by thread: Re: Shared Locator Address Pool (SLAP) protocol proposal
Index(es):
- Date
- Thread