[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: soft state (was Re: shim6 and bit errors in data packet headers



marcelo bagnulo braun wrote:

- Flooding attacks once the shim context is established: in this case, an attacker creates a context with a server and starts downloading a heavy flow (i know you know this story, but just to make sure we are sync), then the attackers rehomes the flow towards an alternative address that belongs to the victim, so the victim is flooded. In this case, the server has context state and the packets involved in the flooding are the data flow (not only reachability test packets) Imho, if we are going to use a reachability test exchange to prevent this attack, then the reachability test exchange requires additional information than the one is included in the reachability test exchange that you describe below.

FWIW I've been assuming that the purpose of the locator pair test protocol is merely to test which locator pairs are working.
Shim6 does need a way to prevent this kind of 3rd party flooding attacks, by verifying that A is indeed present at locator A2, but I don't see why this needs to be done at the same time as searching for a working locator pair.
Conceptually there is a big difference between searching for a working locator pair and verifying whether one of the locators that A says it has, does indeed reach ULID A.


This is because for preventing this attack, the victim needs to know what is the context that is associated with the reachability test that it is replying to, in order to verify that the future incoming flow corresponds to an existent context.

You still don't need to check the context tag. It is sufficient to verify that the ULID A1 is acceptable by whoever responds at locator A2.



- reachability test request for exploring alternative address pairs for rehoming an established communication require context information in order to prevent flooding attacks

To prevent the 3rd party flooding attack this verification just needs the ULID.


OTOH, i think that both reachability test exchange will be similar in all the other aspects ( i mean, i don't think that two different reachability tests are required for this two situations, only that in one case it will be required to carry context information and in the other one it won't. However, such context information can be useful to detect loss of context, i think

I still have to work out some details to figure out if this really helps in detecting a lost context.




and perhaps also trigger its own exploration of the B->A direction (since it knows that Ai,Bj works for the A->B direction).


at this point i wonder if this exploration may not result in amplification attacks?

Perhaps. But any damage can be limited by this being (in addition to applying to existing contexts) limited to a few and rate limited tests.



here is the part that i am concerned, since B would generate 6 packets as reply to one packet, right?

Yep, but they need to be spaced out according to whatever congestion control constraints we have in any case.



I think this test protocol is ok for initial contact, but that we need additional protectio from flooding attacks in the case of a rehoming of an existing context, as i described above. for this, context information is to be included in the exchange

Yes. But to me that is a conceptually different protocol mechanism.

  Erik