[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: node-to-node security breach

To: "Karen E. Nielsen (AH/TED)" <karen.e.nielsen@ericsson.com>
Subject: RE: node-to-node security breach
From: Pekka Savola <pekkas@netcore.fi>
Date: Tue, 24 Aug 2004 08:58:24 +0300 (EEST)
Cc: v6ops@ops.ietf.org
In-reply-to: <C26BB8276599A44B85D52F9CE41035E1050B9603@esealnt944.al.sw.ericsson.se>

On Tue, 24 Aug 2004, Karen E. Nielsen (AH/TED) wrote:
> I think (?) that we agree on the following:
> 
> * If the protocol operate with host-to-server communication only,
> then the mitigation scheme would work, and it wouldn't break
> anything.

Sure, but if the protocol operates entirely in host-to-server (and 
server-to-host), there is nothing to mitigate in the first place, as 
the protocol implementation would automatically discard the bogus 
proto-41 packets in the first place?

> * It must be said that the mitigation scheme would break direct
> tunnelling, wherefore it cannot be applied when direct tunnelling is
> invoked by the protocol.
> 
> I don't, however, understand the distinction you seem to make here,
> nor do I understand what it is you to be find unacceptable - could
> you please elaborate ?

I think you probably said it sufficiently well in above.

What I mean is that one could envision three different approaches:

 1) no direct tunneling in the protocol -- nothing to mitigate
 2) direct tunneling in the protocol, but it could be turned off.  This 
    would not work with the current protocols, because there can be 
    hosts in the direct tunneling range which try to use direct 
    tunneling for node-to-node communication, and then node to node 
    communication would fail.
 3) direct tunneling in the protocol, and it is used.

The point I tried to make is that *node-to-node* communication is a
strict requirement: we must not break that.  On the other hand,
*direct tunneling* is not a requirement, and we could do without it,
but we must not break node-to-node communication while doing so.

For example, if we take ISATAP, we cannot remove (AFAICS) direct
tunneling in a manner which would not break node-to-node communication
without making non-interoperable changes to the protocol (e.g.,
defining a new identifier instead of "5efe").

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

References:
- RE: node-to-node security breach
  - From: "Karen E. Nielsen (AH/TED)" <karen.e.nielsen@ericsson.com>

Prev by Date: RE: zeroconf draft
Next by Date: RE: node-to-node security breach
Previous by thread: RE: node-to-node security breach
Next by thread: RE: node-to-node security breach
Index(es):
- Date
- Thread