Re: node-to-node security breach

[Pekka Savola <pekkas@netcore.fi>]

On Mon, 23 Aug 2004, Karen E. Nielsen (AH/TED) wrote:
> > I'm not sure if I understand your comment.  I wasn't arguing for
> > node-to-node communication :) -- I was just pointing out that the
> > mitigation strategy simply doesn't work, so the document should say
> > that direct tunneling issues cannot be mitigated (that way) because it
> > would break the protocol.  Either the protocol must not have direct
> > tunneling, or the risks must always be acceptable.
> 
> 
> The essence here is that direct tunnelling isn't an explicit goal
> of zeroconf wherefore it isn't discussed in any detail 
> (and thats made perfectly clear).
> 
> But now that you bring it up we can say something 
> to this effect in the security section 
> - something like:
> 
> "Direct Tunnelling:
> 
> If in addition direct tunnelling is provided, 
> the tunnel protocol should not impose any new vulnerability to the
> nodes implementing the tunnel protocol than what is already present
> in existing IPv6 networks, where multiple hosts are served by the
> same router (possible multiple routers).
> 
> Note that the mitigation strategy
> discussed above would break direct tunnelling,
> etc. etc."
> 
> I don't know if the other authors agree, but would this 
> mitigate your concerns ?

No that wouldn't be good.  The point is that it does not just break
*direct tunneling*, but it breaks node-to-node communication inside
the "direct tunneling range".  That is unacceptable, and therefore 
such mitigation should not be listed.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings