[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: node-to-node security breach
Hi Pekka,
> -----Original Message-----
> From: Pekka Savola [mailto:pekkas@netcore.fi]
> Sent: Tuesday, August 24, 2004 7:19 AM
> To: Karen E. Nielsen (AH/TED)
> Cc: v6ops@ops.ietf.org
> Subject: Re: node-to-node security breach
>
>
> On Mon, 23 Aug 2004, Karen E. Nielsen (AH/TED) wrote:
> > > I'm not sure if I understand your comment. I wasn't arguing for
> > > node-to-node communication :) -- I was just pointing out that the
> > > mitigation strategy simply doesn't work, so the document
> should say
> > > that direct tunneling issues cannot be mitigated (that
> way) because it
> > > would break the protocol. Either the protocol must not
> have direct
> > > tunneling, or the risks must always be acceptable.
> >
> >
> > The essence here is that direct tunnelling isn't an explicit goal
> > of zeroconf wherefore it isn't discussed in any detail
> > (and thats made perfectly clear).
> >
> > But now that you bring it up we can say something
> > to this effect in the security section
> > - something like:
> >
> > "Direct Tunnelling:
> >
> > If in addition direct tunnelling is provided,
> > the tunnel protocol should not impose any new vulnerability to the
> > nodes implementing the tunnel protocol than what is already present
> > in existing IPv6 networks, where multiple hosts are served by the
> > same router (possible multiple routers).
> >
> > Note that the mitigation strategy
> > discussed above would break direct tunnelling,
> > etc. etc."
> >
> > I don't know if the other authors agree, but would this
> > mitigate your concerns ?
>
> No that wouldn't be good. The point is that it does not just break
> *direct tunneling*, but it breaks node-to-node communication inside
> the "direct tunneling range". That is unacceptable, and therefore
> such mitigation should not be listed.
>
I think (?) that we agree on the following:
* If the protocol operate with host-to-server communication only, then
the mitigation scheme would work, and it wouldn't break anything.
* It must be said that the mitigation scheme would break direct tunnelling,
wherefore it cannot be applied when direct tunnelling is invoked by the protocol.
I don't, however, understand the distinction you seem to make here, nor do I understand
what it is you to be find unacceptable - could you please elaborate ?
Thanks, Karen