[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: threats ID

To: <mbagnulo@ing.uc3m.es>
Subject: Re: threats ID
From: Pekka Nikander <pekka.nikander@nomadiclab.com>
Date: Tue, 20 Jan 2004 07:23:57 +0200
Cc: "Brian E Carpenter" <brc@zurich.ibm.com>, "Masataka Ohta" <mohta@necom830.hpcl.titech.ac.jp>, "Multi6 List" <multi6@ops.ietf.org>
In-reply-to: <LIEEJBCNFDJHFFKJJDPAEECKDJAA.mbagnulo@ing.uc3m.es>
References: <LIEEJBCNFDJHFFKJJDPAEECKDJAA.mbagnulo@ing.uc3m.es>

Marcelo,

On Jan 19, 2004, at 19:55, marcelo bagnulo wrote:

After some mail exchanges with Pekka N., my understanding is that that there is an important distinction to be made between these two cases when considering the hijacking attack. The point is that in transport layer solutions, the hijcack attack is limited to the existent established connection while in the IP layer (shim layer also) solutions the attack applies to the complete endnode.

Thank you. A very good explanation.

This also relates somewhat to performance. If you have per-connection state, then you have to create the state separately for each connection. If you have per-host state, then you create the state on first connection, and then share it with the other ones that are created during the lifetime of the state.

Whether a per-host state (in addition to the per-connection state) is a good idea is an architectural issue. In my opinion, many of the shim approaches do create a kind of a new layer, say layer 3.5, which contains a per-host state, potentially shared by multiple transport layer connections.

Because the attack applies to the endnode, the attacker can do things like establishing a connection creating some state so that future communications initated by the victim are also redirected. That is, in IP layer solutions, the complete identity of the victim is hijacked for all the applications and for all the communications, pre-establihed or future communications (as long as the malicous state exists in the victim)

Right.

This implies that the risk is very different in one case than in the other one and different security solutions are required.

Well, I might not call the risks "very" different, but they are different.

So I guess that i agree with Masataka that a return routability check with a cookie is enough to redirect a connection but IMHO this is not enough to redirect a complete identity at the IP layer level.


If I understand Ohta-san correctly, he perceives that an architectural
change that creates a per-host state at the end-hosts in the IP layer,
or one that creates a new layer between IP and transport, are abhorrent
and should not be considered.  Hence, my perhaps faulty understanding
of his thoughts is that the concept of location-independent IP layer
identity does not exist.  But maybe I understand his thoughts wrong.

I, on the the other hand, certainly believe that adding location-independent IP layer identity would be good for the Internet.

While (if) there is such a large disagreement between Ohta-san and me,
it may be impossible to agree on security.

--Pekka Nikander

Follow-Ups:
- Re: threats ID
  - From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>

References:
- RE: threats ID
  - From: "marcelo bagnulo" <mbagnulo@ing.uc3m.es>

Prev by Date: Re: threats ID
Next by Date: Re: threats ID
Previous by thread: Re: threats ID
Next by thread: Re: threats ID
Index(es):
- Date
- Thread