[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: additional attack for multi6 threat draft?
marcelo;
Why?
Why?
Can you name some protocol that does not do this?
Take mip and remove the rr check.
You are supposedly talking to the HoA but you are sending packets to the
CoA, so you don't have a RR check of the address that you are supposed to be
talking to i.e. the HoA
You are talking about triangle elimination, which, as I mentioned, is
a cause of new form of redirection attack.
However, it is purely a mobility issue having nothing to do with
multihoming.
A CN and a MN can use all the complex security mechanism to locate
and identify each other. However, it does not prevent MN redirection
of traffic of CN to a DOS victim. The victim can be protected from
DoS, if 8+8 is used, though the network around the victim still suffer.
Again, RR is fine to verify locators but it is not so great to verify
identifiers.
RR check involves cookie exchange, which is to verify the identity.
In multi6 where we may need redirection, you cannot assume that RR will be
available to verify identities
Cookie is our friend.
Masataka Ohta