[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[RRG] Security of TRRP mapping replies
- To: Routing Research Group <rrg@psg.com>
- Subject: [RRG] Security of TRRP mapping replies
- From: Robin Whittle <rw@firstpr.com.au>
- Date: Mon, 25 Feb 2008 19:15:56 +1100
- Cc: William Herrin <bill@herrin.us>
- Organization: First Principles
- User-agent: Thunderbird 2.0.0.9 (Windows/20071031)
Hi Bill,
How would you secure each ITR from bogus map replies which pretend
to be from the authoritative nameserver?
It would be possible for an attacker to send a packet to host X,
with source address B. The attacker wants the ITR which X uses to
cache some bogus mapping information. The attacker reasonably
assumes the ITR will now issue a map request to a nameserver which
is authoritative for whatever /8 address B is in. While the request
and genuine reply is in transit, the attacker sends a bogus packet,
using the nameserver's address as the source. The ITR sees this as
the authentic mapping information and caches the result. That
mapping results in all packets for address B (and others in the same
micronet?) being tunnelled to the attackers ITR.
This affects packets from any host which relies on the ITR. So the
real victim may be on nearby host Y, when they send packets to B.
- Robin
--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg