[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

soft state (was Re: shim6 and bit errors in data packet headers

To: Erik Nordmark <erik.nordmark@sun.com>
Subject: soft state (was Re: shim6 and bit errors in data packet headers
From: marcelo bagnulo braun <marcelo@it.uc3m.es>
Date: Sat, 7 May 2005 12:21:26 +0200
Cc: shim6 <shim6@psg.com>
In-reply-to: <427BF3E4.6080406@sun.com>
References: <42780A4C.7080904@sun.com> <f8cfe7413d9a1690bb242b7399b53745@it.uc3m.es> <427BF3E4.6080406@sun.com>


El 07/05/2005, a las 0:47, Erik Nordmark escribió:

marcelo bagnulo braun wrote:
This implies that in the bit error case above, since B can't tell the difference between a bit error and the case when it has lost/discarded the state, B needs to at least send an error message to A saying "I have no matching shim6 context".
why? i would argue that silently discarding the packet would be enough. I mean, i think that soft state approach is an interesting approach, but i would like to explore the possibility of silently discarding packets that don't match with any existent contexts.
I think if you want to discard packets for which you don't have a context, then I think you effectively end up assuming some hard(er) state management, where the two ends coordinate when they discard their state. But I can't see how this can work in a soft-state approach - soft state seems to imply that a node can rebuild the state when it receives packets.


But, the state can be rebuild using the initial exchange again, right?

I mean, i am thinking in the following scenario (that i think Brian suggested some time ago)

Node A and Node B start a communication using IPA1 and IPA2 respectively,

A while after, they decide to create a SHIM context, for this communication. For that, the perform the initial exchange and the continue the communication for a while.

At this points i can think about 3 scenarios:

1- the "normal" situation i.e. there no abrupt lost of context for external reasons. In this case, each packet received corresponding to that context would extend the lifetime of the context information. If no packets are exchanged for a given period T, then both ends discard the state. I guess T should defined in a conservative way, i.e. long enough.

2- One of the nodes reboots and all state is lost. In this case, it doesn't make much sense to rebuild the context, i think, because the upper layer state has also been lost, so i guess it doesn't make much sense to try to resume the SHIM context when there is no upper layer that wants to preserve a communication

3- There is some abrupt lost of context state in one of the nodes (and only the context state. (i am not sure how likely this is, i mean i guess it could happen when because of the soft state, one of the nodes discards the state before its peer, and after that the peer wants to resume the communication associated with this context. I guess the occurrence of such situation becomes less likely, as the inactive time required to discard the context grows). In any case, suppose that suddenly node A losses its state about the SHIM context. At this point, node B would detect that the context has been lost. How this is detected, is to be analyzed in depth. - If the communication was still using the ULIDs as locators, then data packets will flow without problems and no problem is detected. I guess that for this case, a SHIM keepalive may be needed to detect this case - If the communication is using locators that differ from ULIDs then, i guess that upper layers will send an error message back, like port unreachable or similar, so that the context loss can be detected - If SHIM signaling packets are sent by node B, the absence of replies would indicate that an the context has been lost

At this point, when node B detects that the context state has been lost, node B can try to perform the initial exchange again, using the same information that was used during the initial exchange the first time. I think this would permit node A to rebuild the lost state

I think this soft state could work without requiring the error message.

FWIW I've suggested a way to handle a close handshake for hard state management in the past, which has made it into the HIP spec.

I mean, i think that (as i think you mentioned a while ago) defining a error message in order to reply to those packets belonging to non existent contexts may introduce some security issues. In particular, it may allow an attacker to force to communicating end nodes to re-do the initial exchange, allowing the attacker to become a MiTM.
Yes, but that isn't any worse than in today's Internet; an attacker can arrive on the path and use e.g. ARP spoofing in the local link (which might be the link between two routers in the path) to redirect the traffic.


I am not sure these two cases are directly comparable...

But in any case, note that through error message spoofing the attacker may manage to impose that the context is re initiated while the communication still flows (in the case that the ULIDs are still being used as locators) That would allow an attacker that has a compatible CGA parameter data structure for instance to place himself in the middle of an ongoing communication.

   Erik

Follow-Ups:
- Re: soft state (was Re: shim6 and bit errors in data packet headers
  - From: Erik Nordmark <erik.nordmark@sun.com>

References:
- shim6 and bit errors in data packet headers
  - From: Erik Nordmark <erik.nordmark@sun.com>
- Re: shim6 and bit errors in data packet headers
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>
- Re: shim6 and bit errors in data packet headers
  - From: Erik Nordmark <erik.nordmark@sun.com>

Prev by Date: Re: Middleboxes [Was: Flow label versus Extension header - protocol itself]
Next by Date: Re: Middleboxes [Was: Flow label versus Extension header - protocol itself]
Previous by thread: Re: shim6 and bit errors in data packet headers
Next by thread: Re: soft state (was Re: shim6 and bit errors in data packet headers
Index(es):
- Date
- Thread