[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: threats ID

To: Brian E Carpenter <brc@zurich.ibm.com>
Subject: Re: threats ID
From: Erik Nordmark <erik.nordmark@sun.com>
Date: Tue, 20 Jan 2004 14:38:37 -0800
Cc: erik.nordmark@sun.com, Multi6 List <multi6@ops.ietf.org>
In-reply-to: <400D0CDD.81950E0C@zurich.ibm.com>
References: <LIEEJBCNFDJHFFKJJDPAEEDGDJAA.mbagnulo@ing.uc3m.es> <400D0CDD.81950E0C@zurich.ibm.com>

On Tue, 2004-01-20 at 03:11, Brian E Carpenter wrote:
> If a network-layer mh solution uses multiple identifiers, then what gets 
> hijacked is an individual identifier, not the node. Thus what is hijacked
> is the subset of sessions in the node using the same identifier. 
> Transport-layer solutions can claim that they reduce that set of sessions 
> to one at a time. 

It is probably true in general that if normal traffic needs to do
X amounts of work per transport connection, than a redirection attacker
needs to do some work proportional to X per transport
connection.
Thus the ability to aggregate the signaling needed for rehoming for
multiple transport connections would affect legitimate traffic just as
much as it would affect an attacker.

> Nevertheless I find it surprising for Matasaka to assert that most of
> the threats in draft-nordmark-multi6-threats-00.txt only apply to
> network layer solutions. Do people have an opinion about that?

It might depend on the details of the transport layer solutions.
Taking the premeditated redirection attack as an example.
If an attacker can guess that port A on node B will talk to port C on
node D in the near future, then premediated redirection attacks can be
launched on a transport solution which identifies the "redirectable
unit" by the 5-tuple.
But if the transport solution uses some hard to guess random component
(an SCTP verification tag is an example; another example would be some
emphemeral IDs) to identify the redirectable unit, then it would be much
harder to perform a premediated redirection attack.

My take on this is that the threats exist in all cases. Different
approaches, and in particular different bindings with transport level
mechanisms, can provide rather different ways of handling the threats.

Should it come to comparing transport vs. layer 3.5 approaches I think
the hardest thing for a transport level approach is for UDP traffic; 
preventing the various threats for UDP isn't much different than
preventing them for IP.

   Erik

References:
- RE: threats ID
  - From: "marcelo bagnulo" <mbagnulo@ing.uc3m.es>
- Re: threats ID
  - From: Brian E Carpenter <brc@zurich.ibm.com>

Prev by Date: Re: threats ID
Next by Date: Re: Comments on draft-ohta-multi6-8plus8-00.txt
Previous by thread: Re: threats ID
Next by thread: Re: threats ID
Index(es):
- Date
- Thread