[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 2nd part Re: revision of architecture draft is now published

To: Geoff Huston <gih@telstra.net>
Subject: Re: 2nd part Re: revision of architecture draft is now published
From: marcelo bagnulo braun <marcelo@it.uc3m.es>
Date: Sat, 3 Jul 2004 16:20:42 +0200
Cc: multi6@ops.ietf.org
In-reply-to: <6.0.1.1.2.20040703080325.02123e38@localhost>
References: <Roam.SIMC.2.0.6.1088426716.5609.nordmark@bebop.france> <11EB4348-C91B-11D8-B450-000A95CD987A@muada.com> <40E152D7.6070002@zurich.ibm.com> <40E22D1B.8B52A674@ix.netcom.com> <6.0.1.1.2.20040630121701.01c35ec0@kahuna.telstra.net> <2ABC09C2-CAB6-11D8-A131-000D93ACD0FE@it.uc3m.es> <6.0.1.1.2.20040703080325.02123e38@localhost>

El 03/07/2004, a las 0:11, Geoff Huston escribió:

Hi Marcelo,

At 02:54 AM 1/07/2004, marcelo bagnulo braun wrote:
- about section 4.5

I am not sure about the following comment:

"Packet header rewriting by remote network elements has a large number of associated considerations, and documentation relating to the considerations of the use of Network Address Translators [4] contains much of this material."

I mean, if the multi6 layer within the host replaces the received locator by the ULP identifier, then it doesn't really matter the locator than was actually carried in the packet, right? I mean, in any case, the locator is transparent to the ULP which only deals with the identifier.

Moreover, perhaps replacing locators by identifiers introduce some of the nat problems, but in any case, i don't see how this related to the fact that the locator is replaced by the host or by the edge router. So perhaps some comment like this one is required but imho is not restricted to this section but to all mechanisms that replace locators by identifiers. Perhaps you were considering other issues here?
What I was attempting to point out is that packet header rewriting by _remote_ network elements is effectively a description of a session hijacking technique. In order to allow locator rewriting in a manner that is resilient to hijacking there needs to be some element of visible authorization of the locator substitution. A session hijack is an unauthorized and undetected rewriting of packet headers, while a path switch is in effect a authorized rewrite of the packet headers. If this is performed within the host then the authority issues are somewhat different than when such a header rewrite is performed at some point in the network path.

If this part of the document is unclear, then perhaps you could suggest a clearer rewording of this?

Ok, this is not what i thought you were considering at this point. Since you are aiming to a security issue, i would suggest that you include a reference to the threats document here. I mean, i would say that :

Packet header rewriting by remote network elements has a large number of associated security considerations, and any packet rewriting mechanism has to provide proper protection against the attacks described in [threats], in particular against Redirection Attacks

regards, marcelo

regards,

Geoff

References:
- Re: identity persistence and comparison issues
  - From: Erik Nordmark <Erik.Nordmark@sun.com>
- Re: identity persistence and comparison issues
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- Re: identity persistence and comparison issues
  - From: Brian E Carpenter <brc@zurich.ibm.com>
- Re: identity persistence and comparison issues
  - From: Jeff Williams <jwkckid1@ix.netcom.com>
- revision of architecture draft is now published
  - From: Geoff Huston <gih@telstra.net>
- 2nd part Re: revision of architecture draft is now published
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>
- Re: 2nd part Re: revision of architecture draft is now published
  - From: Geoff Huston <gih@telstra.net>

Prev by Date: Re: revision of architecture draft is now published
Next by Date: Weekly posting summary for multi6@ops.ietf.org
Previous by thread: Re: 2nd part Re: revision of architecture draft is now published
Next by thread: Re: 2nd part Re: revision of architecture draft is now published
Index(es):
- Date
- Thread