Re: addition of TLV to locator ID or locator ID set

[Paul Jakma <paul@clubi.ie>]

On Mon, 3 Oct 2005, Iljitsch van Beijnum wrote:

> However, without HBA or CGA it would be possible to redirect 
> packets (assuming the shim is used) even in the presence of IPsec.

CGA would not make that impossible AIUI, it'd make it impossible to 
redirect an /existing/ shim state, AIUI (which is same as you'd get 
with IPSec).

HBA (a special case of CGA right?) makes it impossible by binding 
locator prefixes to ULIDs uniquely (ie permanently).

Right?

> CGA simply ties a public key / certificate to an address. This key 
> or certificate can then be used to authenticate further exchanges 
> so an attacker can't successfully inject shim signalling.

That's the same thing you could achieve with anonymous IPSec. 
(Though, IPSec associates state with a 'security association' rather 
than address, which could be more fine-grained than CGA). It's an 
anonymous key either way, unless there is some other way to verify 
the authenticity of a key and what it may be used for / who it is 
issued for (who in terms of IP addresses).

> can execute any valid signalling exchange. However, the HBA limits 
> the set of valid exchanges to the ones related to a prefix where 
> that prefix is one of the set for which there is a valid hash in 
> the interface identifier.

Ok.

> > if the only security is HBA and the shim protocol is stateless (without 
> > having to observe packets obviously).
>
> Obviously all signalling will use cookies so blind injection attacks 
> shouldn't be an issue.

Ok, in which case you'll need a handshake before you accept the 
cookie as valid, to establish two-way communication (two-way at shim6 
level, each direction might use a different path).

> Suppose C now initates a rehoming. C would also have to be present 
> at the new address A' in order for E to accept the change. And A' 
> must be an address that belongs to A because otherwise A wouldn't 
> have included the prefix in question in its HBA.

Right.

Obviously, if renumbering were to be allowed, then C could redirect 
the mapping completely away from A (the only part supposed to be 
using that HBA).

The security issues are quite interesting. :)

> I suppose this attack might be useful for C if C can only be a man 
> in the middle between A and E for a short time, but be a man in the 
> middle between A' and E for a longer period. As long as C keeps the 
> A' - E association alive, A is going to have a hard time connecting 
> to E using A - E.

Right.

It does preclude renumbering though, which is an interesting 
(unfortunate?) consequence.

Sorry for being so annoying btw, I just can't help questioning things 
as a means to gaining understanding.. ;)

regards,
--
Paul Jakma	paul@clubi.ie	paul@jakma.org	Key ID: 64A2FF6A
Fortune:
party, n.:
	A gathering where you meet people who drink
	so much you can't even remember their names.