[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: additional attack for multi6 threat draft?

To: "Masataka Ohta" <mohta@necom830.hpcl.titech.ac.jp>
Subject: RE: additional attack for multi6 threat draft?
From: "marcelo bagnulo" <mbagnulo@ing.uc3m.es>
Date: Fri, 5 Dec 2003 17:38:12 +0100
Cc: <multi6@ops.ietf.org>
In-reply-to: <3FD06D89.7040401@necom830.hpcl.titech.ac.jp>
Reply-to: <mbagnulo@ing.uc3m.es>

> > X sends to A a sort of BU binding X as the CoA and B as the HoA
> (in order to
> > do this X may need to be on the path between A and B, but if
> this is only
> > for a short period of time that attack can be successful)
>
> MITM can do almost anything, of course.

Well, this is not striclty related with MiTM attack, but with redirection
for future usage, let me try to explain.

some multihoming support mechanism send a message from one node to its
correspondent node on a communication that basically contians the following
information:
I am A, i.e. my identifier is A
and
I am located at B, i.e. my locator is B

in sum this means that A can be reached at location B

The receiver of such message has to verify both the identity and the
location

If the location is not verified, flooding attacks are possible

If the identity is not verified, identity can be hijacked

Direct impersonation attacks are those where the attacker is the one that
attempts to establish the communication pretending to be another node (which
are already considered in the draft IMHO)

The attack that i am considering is about hijacking identitity but not in a
direct form, as above but in a reverse form. In this case hte attacker
creates some false state in the victim, so that in the future, when the
victim attempts to communicate with a given server, it will direct its
packets to the attacker,(who will be able to impersonate the server)

Now, there are different proposals to verify the identity, depending on the
type of identifier that it is being used.

If ip addresses are used as identifiers (as in the case of mip), return
routability can be used to verify the identity.
the problem in this case, is that the attacker can play as a MITM for a
*limited* period of time and manage to beat the verification mechanism as
long as the acquired authorization information is valid.

This implies that return routability cannot be used to protect from this
attacks, since this allows transient MITM to achieve the same effect of
permanent MITM, which IMHO is bad.

So, the proposed attack is not really related with MITM, but is more generic
However, transient MITM can manage to launch this attack when some specific
solution (such as return routability) are used (during the lifetime of the
verification information in the attacked node)

>
> > Do you think this is a real threat?
>
> No, of course.
>
> > the example considered in the threat draft is that  A and B
> will comunicate,
>
> ALl you need is a threat draft with plain IP.
>
> > (i will use mip notation to simplify)
>
> Just FYI, MIPv6 or any mobility protocol with triangular
> elimination can be a cause of new type of threat, even
> though no MITM is involed.
>
> However, triangular emilination is an important feature of MIPv6
> and it has nothing to do with multi6.

I was just using mip terminology in order to make an example, but i guess
this was not a good choice, sorry for the confusion that this may have
caused.

Regards, marcelo


>
> 						Masataka Ohta
>
>

Follow-Ups:
- Re: additional attack for multi6 threat draft?
  - From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>

References:
- Re: additional attack for multi6 threat draft?
  - From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>

Prev by Date: Re: Some Comments on ID/Loc Separation Proposals
Next by Date: Re: delayed multihoming/mobility set-up
Previous by thread: Re: additional attack for multi6 threat draft?
Next by thread: Re: additional attack for multi6 threat draft?
Index(es):
- Date
- Thread