[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPv6 Security Overview



Hi David,

> I think I agree with Francis, that it doesn't really matter. 
> However, it is probably worth noting that your check does not
> prevent the attack either. If you can find 128 live addresses 
> on either side of the router you can carry out the attack 
> without listing any address twice.
>
> (I guess you might want to use a routing header that traverses
> a single router a few times to get a better estimate of the RTT
> through that router.)
That is a very interesting point and I did not see it that way. However
we should note down the attack in the draft even if we do not know how
best to solve it (we are tracking security considerations for IPv6).

That said, still the easiest attack this way would be to know two
adjacent addresses, that way we can have two adjacent devices sending
packets to each other. The one you define is a slightly harder one where
we need to know 128 addresses on both sides of the router. A check
raises the barrier.

Thanks,
Vishwas
-----Original Message-----
From: dwmalone@maths.tcd.ie [mailto:dwmalone@maths.tcd.ie] On Behalf Of
David Malone
Sent: Wednesday, January 04, 2006 4:23 PM
To: Vishwas Manral
Cc: Francis.Dupont@point6.net; v6ops@ops.ietf.org
Subject: Re: IPv6 Security Overview

On Wed, Jan 04, 2006 at 01:52:57AM -0800, Vishwas Manral wrote:
>    I think a simple check at a firewall could be to see that the
>    routing header does not contain the same address more then once,
just as
>    we have a check for the multicast address.
>    
> => I don't think it matters.
> VM> I agree the TTL/ Hop Limit changes etc. However by keeping address
> alternating i.e. Address [2x] = A, Address [2x+1] = B for x = 1 to n,
we
> make a packet transit the same router n times, thus increasing the
load
> on a router. It is a simple amplification attack.


I think I agree with Francis, that it doesn't really matter. However,
it is probably worth noting that your check does not prevent the
attack either. If you can find 128 live addresses on either side
of the router you can carry out the attack without listing any
address twice.

(I guess you might want to use a routing header that traverses
a single router a few times to get a better estimate of the RTT
through that router.)

>    It would have helped if the flow label field was not mutable(and
hence
>    protected by AH) as it is anyway dependent on the source address.

FWIF, RFC 3697 already says the flowlabel should be delivered
unchanged to destination nodes. Though, as you point out, having
IPsec enforce that is a different matter.

	David.