[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Proposal for PSAMP-PROTO section 6.5.2.6



Dear PSAMP folks,

I am interested in the network attack tracing scenario of trajectory sampling,
as documented in the Section 6.2.1.2 of draft-ietf-psamp-sample-tech-07.

Here's my comments to draft-ietf-psamp-protocol-04 regarding hash-based filtering:

In section 6.5.2.6 it doesn't mention IPv6.  I assume you will refer readers to
(or copy texts from) the Section 6.2.3.3 of draft-ietf-psamp-sample-tech-07.
If this is the case, I find potential weakness here.
Attacker can evade trajectory sampling if 1) he can arbitarily choose byte
number 10,11,14,15,16 of IPv6 src/dest addresses, and 2) hash selection range
S is known to the attacker.  1) is feasible since it is EUI-64, and 2) is
feasible if S remains identical Internet-wide, for a long period of time.

Regarding the BOB hash function: I wonder if someone have evaluated the
cryptographic soundness (i.e., one-wayness and collision resistance) of BOB.
If so, it would be useful to point at the cryptanalysis document of BOB.  If
not, I can volunteer to ask nearby cryptographers to look at it.

If BOB is found not to be collision resistant, attacker may come up with very
fast algorithm to manipulate IP payload (or IP-ID field) so that every attack
packet evades detection.

N.B. I am aware of  the folllowing paper, where the authors conducted statistical
(that is, not cryptoanalytic) testing of IPSX and BOB.
http://public.research.att.com/~duffield/papers/31-085A.pdf

Maybe this is a reccuring topic though.

P.S.
  Kudos to all of your standardization efforts.

-- 
    Youki Kadobayashi
    WIDE Project

--
to unsubscribe send a message to psamp-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/psamp/>