[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Identifiers

To: "Brian E Carpenter" <brc@zurich.ibm.com>
Subject: RE: Identifiers
From: "marcelo bagnulo" <mbagnulo@ing.uc3m.es>
Date: Thu, 25 Mar 2004 11:35:33 +0100
Cc: "Francis Dupont" <Francis.Dupont@enst-bretagne.fr>, "Iljitsch van Beijnum" <iljitsch@muada.com>, "Multi6 List" <multi6@ops.ietf.org>
In-reply-to: <4062ABAA.172A35D4@zurich.ibm.com>
Reply-to: <mbagnulo@ing.uc3m.es>

> My assumption is certainly that we can trust the first address pair, to
> exactly the extent that we can trust it in a non-multihomed case. Is
> that a wrong assumption?

IMHO it is a bit more tricky.

First of all, the initial comment was about general identifiers, not
restricted to addresses. Depending on the nature of the identifier it is
more or less  easier to steal a given identifier.

In the case of using addresses, return routabilibity i.e. the capability of
sending and receiving packets from/to the identifier (address) provides you
a little level of trust that the other ends owns the address (identifier).
If other identifiers are used, this level of trust may disappear (or
improve)

In the particular case of addresses, the problem with multihoming is that
verifying the addresses at the initial stage through return routability only
provides proof of ownership at this moment in time. It does not guarantee it
in the future. That is the attacker may be intercepting the packets only at
the initial stage, and then move somewhere else. If you trust an IP address
that you have only verified at the setup stage, you are exposed to this
attacks called time shifted attacks (P. Nikander et al.)

Finally, it seems that it is accepted that source addresses cannot be
trusted, but we do trust destination addresses, since we expect that packets
are delivered to that destination. However, in multihoming, the sense of
direction of source and destination may change in time. I mean, suppose that
i don't really verify a source address (or a source identifier in general)
and i just accept (without further verification) that a certain identifier I
has initiated a communication with me and it is reachable at the locators
L1,..,Ln. This may be ok, since it is not good in the current Internet to
trust the source address (source identifier)
the problem is that if i keep this state binding the identifier I with
locators L1,...,Ln as valid, i will use if in the future when i try to
initiate a communication with identifier I. Now this is problem, because i
want to communicate with I and i am trusting an unverified state linking I
to a set of locators to reach it.


>
> This should be made explicit one way or the other in the threats draft.

Well, some of this issues are already in the draft, and some others have
been discussed with Erik and the list. Let?s wait for the next version and
see

Regards, marcelo

>
>    Brian
>

Follow-Ups:
- Re: Identifiers
  - From: Eliot Lear <lear@cisco.com>

References:
- Re: Identifiers
  - From: Brian E Carpenter <brc@zurich.ibm.com>

Prev by Date: IPSEC or not [Re: Identifiers]
Next by Date: RE: Identifiers
Previous by thread: Re: Identifiers
Next by thread: Re: Identifiers
Index(es):
- Date
- Thread