[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: threats ID

To: Iljitsch van Beijnum <iljitsch@muada.com>
Subject: Re: threats ID
From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Date: Wed, 21 Jan 2004 08:18:12 +0900
Cc: Multi6 List <multi6@ops.ietf.org>
In-reply-to: <E50A0372-4B8A-11D8-9871-000A95CD987A@muada.com>
References: <LIEEJBCNFDJHFFKJJDPAEECKDJAA.mbagnulo@ing.uc3m.es> <D88F1830-4B08-11D8-AC7E-000393CE1E8C@nomadiclab.com> <400D2075.8040207@necom830.hpcl.titech.ac.jp> <E50A0372-4B8A-11D8-9871-000A95CD987A@muada.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)

Iljitsch;

However, IP layer does not have any state of a connection,

That's not true. The routing table is state,

It is not state of a connection.

as is per-destination path MTU information.

It is a wrong understanding of PMTUD issues.

PMTUD is an issue of connections.

A few years ago, transport people finally recognized it and
had a BoF or WG to do PMTUD at the transport layer. I haven't
traced the activity, because I think PMTUD is a bad idea even
if it is implemented at the transport layer.

I'm not even going to mention IPsec.


SPI is, effectively, is a transport layer identifier just as
port numbers, which is one of a reason why design of IPsec is
poor.

because it is connectionless.

For a connection you need per-connection matching state in at least two places, the source and the destination. For IP you still need state, but it's per IP address or even per prefix, and it doesn't have to match on both ends. But it's still state.

See the first line of this mail.

All the shim layers are working at least at layer 4 that there
is no point to say layer 3.5

I believe NOID and certainly ODT allow layer 4 to work without changes,


You can believe so, just as you can believe NAT allow layer 4 to work
without changes.

BTW, my point about man in the middle was that an attacker can still do damage without having full man in the middle capabilities, for instance by intercepting packets and injecting falsified ones, without necessarily being able to stop the flow of traffic between the endpoints.


Sure. For example, on the Internet today without M6, you can modify
DNS result by sending false answer before the real one is returned.

This is important, because true man in the middle capability isn't something that is easily achieved, while "man on the sideline", where the attacker can observe data and inject his own, but not stop the real data from flowing, is fairly trivial to achieve in many situations.

Maybe. But, it has nothing to do with M6.

Masataka Ohta

Follow-Ups:
- Re: threats ID
  - From: Kurt Erik Lindqvist <kurtis@kurtis.pp.se>
- Re: threats ID
  - From: Iljitsch van Beijnum <iljitsch@muada.com>

References:
- RE: threats ID
  - From: "marcelo bagnulo" <mbagnulo@ing.uc3m.es>
- Re: threats ID
  - From: Pekka Nikander <pekka.nikander@nomadiclab.com>
- Re: threats ID
  - From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
- Re: threats ID
  - From: Iljitsch van Beijnum <iljitsch@muada.com>

Prev by Date: Re: Comments on draft-ohta-multi6-8plus8-00.txt
Next by Date: Re: threats ID
Previous by thread: Re: threats ID
Next by thread: Re: threats ID
Index(es):
- Date
- Thread