[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

context confusion

To: shim6-wg <shim6@psg.com>
Subject: context confusion
From: marcelo bagnulo braun <marcelo@it.uc3m.es>
Date: Mon, 21 Nov 2005 13:07:18 +0100
Cc: Erik Nordmark <Erik.Nordmark@sun.com>

Hi,

another issue that is still open is what the draft calls contextconfusion

The situation here is that we have hosts A and B that setup a shimcontext between themthe context has ULID(A) and ULID(B). For that context each peer hasassigned a context tag, CT(A) and CT(B)


suppose now that host B discards the state but A keeps it.

suppose that later on, a new context is established between A and B andthat B reuses CT(B) for this new context.In the case that the ULID or the locators used by B in this new contextcontain at least one of the addresses used by B in the previouscontext, A is able to detect the situation that we call contextconfusion. Such detection can occur whether when A receives a I1, an I2or an R2 message for this new context.


The question is: what does A does when it detect this context confusion?

There seems to be reasonable to continue with the new contextestablishment, using CT(B) for this new context, but what does A doeswith the old context?

There are two proposed approaches:
- Discard the old context
- try to reestablish the old context with a different context tag for B

Now, the problem with discarding the old context is that this may openthe door to some form of attacks, when an attacker that discovers acontext tag and a valid locator of a given peer, can easily, by justsending a I1 message make the victim to discard the state. In otherwords, if we have the scenario above with A and B having anestasblished context, an attacker can simply send an I1 message to Athat includes the CT(B) and an ULID option with B's address and thiswould cause A to discard the context with B. Of course, it wouldrequire that the attacker knows CT(B) and B's address, would thisthreat be acceptable? An additional option would be to delay contextteardown of the old context until a I2 or an R2 packet is received,making sure that we can track down an attacker....

The other option is that upon the reception of a shim control packetthat causes context confusion detection, A tries to reestablish thecontext, that is, it sends a new I1 packet for the old context and seewhat happens. If the peer still has the old context (i.e. we are underattack) then the peer will respond with a R2 message and the attack isdetected and no problem. If the peer actually has lost the context, itwill reply with an R1 message and the situation is that the peer hasdiscarded the context, and A can choose to restore it or not. In anycase, there is still an open question is when does A sends the I1message: upon the reception of I1 or upon the reception of I2? I guessthat we don't want to do anything when we receive a I1, and we betterdo it when we receive an I2 or an R2, when we have more confidence onwhat is going on...


So, what option do you prefer?

Regards, marcelo

Follow-Ups:
- Re: context confusion
  - From: Erik Nordmark <erik.nordmark@sun.com>

Prev by Date: forking
Next by Date: Re: forking
Previous by thread: forking
Next by thread: Re: context confusion
Index(es):
- Date
- Thread