Re: identifiers and security

[Erik Nordmark <Erik.Nordmark@sun.com>]

> > If we add some multihoming signaling whereby an attacker, which was on
> > the path (e.g., by being on the same WiFi subnet as the victim) for a 
> > short
> > time period, can cause damage by essentially using the state creation
> > as a way to preserve it's on-path'ness forever, then folks are 
> > concerned.
> 
> And justifyably so. But wouldn't it be possible to address this in 
> other ways? Such as having per-direction or even per-session state 
> rather than per-address?

If you assume that there is an upper timelimit on how long a (TCP)
connection can last one could take such an approach.
But as far as I know the designers of TCP didn't envision such
an upper limit, thus some connections might last forever.

> I think if the redirection problem by attackers that are on-path 
> temporarily is limited to individual unprotected sessions, we are not 
> materially worse off than today as the same attacker could break the 
> sessions today also, and redirecting an unprotected session presumably 
> isn't worse than breaking it as the contents aren't secret.

I think there is a difference between
 - someone breaking into to office looking at the pieces of paper on
   my desk
 - someone breaking into my office and installing a device which allows
   them to look at all future pieces of paper I will place on my desk

Thus there is a difference between looking at unprotected communication
while being on the path, and looking at unprotected communication
long after having left the path.
But this might be a case where we can make things be slightly worse than
in today's Internet since this communication was unprotected in any case.

  Erik