[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: node-to-node security breach

To: "'Pekka Savola'" <pekkas@netcore.fi>
Subject: RE: node-to-node security breach
From: "Karen E. Nielsen (AH/TED)" <karen.e.nielsen@ericsson.com>
Date: Tue, 24 Aug 2004 07:39:30 +0200
Cc: v6ops@ops.ietf.org

Hi Pekka,

> -----Original Message-----
> From: Pekka Savola [mailto:pekkas@netcore.fi]
> Sent: Tuesday, August 24, 2004 7:19 AM
> To: Karen E. Nielsen (AH/TED)
> Cc: v6ops@ops.ietf.org
> Subject: Re: node-to-node security breach
> 
> 
> On Mon, 23 Aug 2004, Karen E. Nielsen (AH/TED) wrote:
> > > I'm not sure if I understand your comment.  I wasn't arguing for
> > > node-to-node communication :) -- I was just pointing out that the
> > > mitigation strategy simply doesn't work, so the document 
> should say
> > > that direct tunneling issues cannot be mitigated (that 
> way) because it
> > > would break the protocol.  Either the protocol must not 
> have direct
> > > tunneling, or the risks must always be acceptable.
> > 
> > 
> > The essence here is that direct tunnelling isn't an explicit goal
> > of zeroconf wherefore it isn't discussed in any detail 
> > (and thats made perfectly clear).
> > 
> > But now that you bring it up we can say something 
> > to this effect in the security section 
> > - something like:
> > 
> > "Direct Tunnelling:
> > 
> > If in addition direct tunnelling is provided, 
> > the tunnel protocol should not impose any new vulnerability to the
> > nodes implementing the tunnel protocol than what is already present
> > in existing IPv6 networks, where multiple hosts are served by the
> > same router (possible multiple routers).
> > 
> > Note that the mitigation strategy
> > discussed above would break direct tunnelling,
> > etc. etc."
> > 
> > I don't know if the other authors agree, but would this 
> > mitigate your concerns ?
> 
> No that wouldn't be good.  The point is that it does not just break
> *direct tunneling*, but it breaks node-to-node communication inside
> the "direct tunneling range".  That is unacceptable, and therefore 
> such mitigation should not be listed.
> 

I think (?) that we agree on the following:

* If the protocol operate with host-to-server communication only, then
the mitigation scheme would work, and it wouldn't break anything.

* It must be said that the mitigation scheme would break direct tunnelling,
wherefore it cannot be applied when direct tunnelling is invoked by the protocol.

I don't, however, understand the distinction you seem to make here, nor do I understand
what it is you to be find unacceptable - could you please elaborate ?

Thanks, Karen

Follow-Ups:
- RE: node-to-node security breach
  - From: Pekka Savola <pekkas@netcore.fi>

Prev by Date: Re: node-to-node security breach
Next by Date: RE: zeroconf draft
Previous by thread: Re: node-to-node security breach
Next by thread: RE: node-to-node security breach
Index(es):
- Date
- Thread