[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Identifiers
In your previous mail you wrote:
> The question now is how do you provide security for this negotiation of
> alternative addresses in this first stage?
Since we have return routability there is no need to prove ownership of
the first IP address.
=> this is highly questionable:
- not all transport protocols give a return routability check for free
- return routability check only constrains the position of the attacker
(it has to be on the path during the attack).
+ multi-homing can't be less secure than standard Internet for the first
IP address.
Additional IP addresses can be checked against
information provided over the first one, so we can be sure that all of
them are used by the same host. However, a man in the middle between
one end and the original address of the other hand can subvert this
process in the absense of some kind of out of band security
information.
=> this is the mobile IPv6 routing optimization problem.
My answer to this problem is that there is no need to
create such an out of band system (storing info in the DNS, PKI,
whatever), as long as we can make use of such a system when it's
present.
=> the mobile IPv6 answer even if the last part can be considered as
dubious, at least in some current implementations...
I think this makes sense because if you don't bother to use IPsec or
TLS for a session, then the communication is subject to all kinds of
nastiness from a man in the middle anyway, so protecting against
session stealing isn't worth the trouble. On the other hand, if the
communication is sensitive there will be IPsec/TLS anyway so having
something in that case is redundant. We just need to make sure we can
leverage the security information present in those protocols to secure
our multihoming negotiations.
=> I agree but I am afraid that things are not as simple as you suggest...
Regards
Francis.Dupont@enst-bretagne.fr