[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

node-to-node security breach

To: "'Pekka Savola'" <pekkas@netcore.fi>
Subject: node-to-node security breach
From: "Karen E. Nielsen (AH/TED)" <karen.e.nielsen@ericsson.com>
Date: Mon, 23 Aug 2004 15:13:15 +0200
Cc: v6ops@ops.ietf.org

Hi Pekka, 

> 
> > > ==> wouldn't such a "mitigation" possibly break the 
> protocol (depending on
> > > how it's written), i.e., if the protocol includes direct 
> encapsulation,
> > > the nodes would have no other way of talking to each 
> other than through
> > > that encapsulation (i.e., you'd have a more specific prefix on the
> > > interface, and default route towards the server -- if the 
> more specific
> > > prefix communications fail, at least standard ND sending 
> algorithms
> > > wouldn't even try to send towards the default route)?
> > > 
> > > So, it would seem that if the protocol includes 
> legitimate node-to-node
> > > communication, such mitigation would break the 
> node-to-node communication
> > > and would be unacceptable.
> > 
> > I'm not convinced that we can make a so simple protocol that at the
> > same time provides node-to-node communication. In any case, I feel
> > that in the scenarios which we are targeting, traffic go in any case
> > to the ISP network, so what will be the advantage of trying to solve
> > that ?
> 
> I'm not sure if I understand your comment.  I wasn't arguing for
> node-to-node communication :) -- I was just pointing out that the
> mitigation strategy simply doesn't work, so the document should say
> that direct tunneling issues cannot be mitigated (that way) because it
> would break the protocol.  Either the protocol must not have direct
> tunneling, or the risks must always be acceptable.
> 


The essence here is that direct tunnelling isn't an explicit goal
of zeroconf wherefore it isn't discussed in any detail 
(and thats made perfectly clear).

But now that you bring it up we can say something 
to this effect in the security section 
- something like:

"Direct Tunnelling:

If in addition direct tunnelling is provided, 
the tunnel protocol should not impose any new vulnerability to the
nodes implementing the tunnel protocol than what is already present
in existing IPv6 networks, where multiple hosts are served by the
same router (possible multiple routers).

Note that the mitigation strategy
discussed above would break direct tunnelling,
etc. etc."

I don't know if the other authors agree, but would this 
mitigate your concerns ?

BR, Karen

Follow-Ups:
- Re: node-to-node security breach
  - From: Pekka Savola <pekkas@netcore.fi>

Prev by Date: RE: zeroconf draft
Next by Date: RE: zeroconf draft Editorial
Previous by thread: mech-v2-05pre
Next by thread: Re: node-to-node security breach
Index(es):
- Date
- Thread