[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D ACTION:draft-bagnulo-pshim6-00.txt

To: marcelo bagnulo braun <marcelo@it.uc3m.es>
Subject: Re: I-D ACTION:draft-bagnulo-pshim6-00.txt
From: Erik Nordmark <erik.nordmark@sun.com>
Date: Fri, 16 Mar 2007 14:24:21 -0700
Cc: Brian E Carpenter <brc@zurich.ibm.com>, shim6-wg <shim6@psg.com>
In-reply-to: <ebb65adadab7a05d2595064159772837@it.uc3m.es>
References: <E1HM9Gs-0001dh-Cf@stiedprstage1.ietf.org> <45E58E4A.9080806@zurich.ibm.com> <9f74c0c909b660c4ad5e6f7241742d1c@it.uc3m.es> <45F9E186.5060407@sun.com> <ebb65adadab7a05d2595064159772837@it.uc3m.es>
User-agent: Thunderbird 1.5.0.5 (X11/20060911)

marcelo bagnulo braun wrote:

It sounds brittle to rely on one of the P-shims to always have thecached locators in the cases that a host might have retained the CMULA.
For instance, there is plenty of host software (even though it isbroken) which retains DNS answers past the expiry of the DNS TTL.Thus some host software might retain the CMULA long after the P-shim'shave timed out the DNS information.


FWIW I didn't see a response to the above robustness issue.

but in any case the P-shim will perform the shim6 context establishmentand will use the HBA/CGA technique to verify that the ULID to locatorbinding is ok, so, even if some attacker manages to install the false idto loc mapping in the P-shim, it would still have to be able to crackthe HBAA/CGA protection, right?

I forgot about that because the draft didn't explicitly say that it isdone and when it is done.

If the HBA/CGA check isn't done until the P-shims do the exchange thereis still a source of confusion (hence possible redirect attacks) beforethen if the P-shim caches things based on the DNS response.

A way to avoid this is to invalidate the locator cache in the p-shimentry when there is a conflict, but even that seems shaky to me.Suppose the lookup for H2.foo.com comes back the shim returns the ULID1::1 to the host. The shim caches the mapping from 1::1 -> {x, y, z}.If/when a shim6 exchange with 1::1 has verified that using HBA/CGA thatmapping can be marked as 'verified'.But if there is some other DNS lookup (for H3.bar.com) via the same shimresulting in the same ULID but different locator set being returned bythe DNS, then an unverified mapping should be discarded and a newmapping should not be setup (pointing at a different locator set). Inthis case the shim MUST do a ULID->locator set lookup (using the DNS asthe example mechanism) to avoid a redirection DoS for one of thecommunications.


> the result would be some form of DoS attack, but i guess that this has
> similar impact (and should be protected with the same tools than) a DNS
> cache poisoning...

This has nothing to do with DNS cache poisoning.

The issue is that if you ask for a RRset for H3.bar.com the DNS serverwhich is authoritative for that zone can return whatever it pleases -and it could be signed by DNSsec - because it is authoritative.

Thus using the fact that H3.bar.com says ULID=1::1 and AAAA set = {a, c}is completely unrelated to which DNS server is authoritative for thelookup of the ULID (in the reverse tree). It is the delegation of thereverse tree that provides the authorization.


   Erik

Follow-Ups:
- Re: I-D ACTION:draft-bagnulo-pshim6-00.txt
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>

References:
- Re: I-D ACTION:draft-bagnulo-pshim6-00.txt
  - From: Brian E Carpenter <brc@zurich.ibm.com>
- Re: I-D ACTION:draft-bagnulo-pshim6-00.txt
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>
- Re: I-D ACTION:draft-bagnulo-pshim6-00.txt
  - From: Erik Nordmark <erik.nordmark@sun.com>
- Re: I-D ACTION:draft-bagnulo-pshim6-00.txt
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>

Prev by Date: Re: About draft-ietf-shim6-failure-detection-07 {2}
Next by Date: Re: I-D ACTION:draft-bagnulo-pshim6-00.txt
Previous by thread: Re: I-D ACTION:draft-bagnulo-pshim6-00.txt
Next by thread: Re: I-D ACTION:draft-bagnulo-pshim6-00.txt
Index(es):
- Date
- Thread