[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[RRG] Security of TRRP mapping replies

To: Routing Research Group <rrg@psg.com>
Subject: [RRG] Security of TRRP mapping replies
From: Robin Whittle <rw@firstpr.com.au>
Date: Mon, 25 Feb 2008 19:15:56 +1100
Cc: William Herrin <bill@herrin.us>
Organization: First Principles
User-agent: Thunderbird 2.0.0.9 (Windows/20071031)

Hi Bill,

How would you secure each ITR from bogus map replies which pretend
to be from the authoritative nameserver?

It would be possible for an attacker to send a packet to host X,
with source address B.  The attacker wants the ITR which X uses to
cache some bogus mapping information.  The attacker reasonably
assumes the ITR will now issue a map request to a nameserver which
is authoritative for whatever /8 address B is in.  While the request
and genuine reply is in transit, the attacker sends a bogus packet,
using the nameserver's address as the source.  The ITR sees this as
the authentic mapping information and caches the result.  That
mapping results in all packets for address B (and others in the same
micronet?) being tunnelled to the attackers ITR.

This affects packets from any host which relies on the ITR.  So the
real victim may be on nearby host Y, when they send packets to B.

  - Robin


--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg

Follow-Ups:
- [RRG] Re: Security of TRRP mapping replies
  - From: "William Herrin" <bill@herrin.us>

Prev by Date: [RRG] Re: TRRP Waypoint Routers
Next by Date: [RRG] TRRP's micronet length specification?
Previous by thread: [RRG] Six/One Router: Provider-Independence, IPv4/IPv6 Interworking, Backwards-Compatibility
Next by thread: [RRG] Re: Security of TRRP mapping replies
Index(es):
- Date
- Thread