[CGA-EXT] Hashed DAD
"Pars Mutaf" <pars.mutaf@gmail.com> Thu, 28 February 2008 19:40 UTC
Return-Path: <cga-ext-bounces@ietf.org>
X-Original-To: ietfarch-cga-ext-archive@core3.amsl.com
Delivered-To: ietfarch-cga-ext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9F5523A6C2F; Thu, 28 Feb 2008 11:40:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.707
X-Spam-Level:
X-Spam-Status: No, score=-0.707 tagged_above=-999 required=5 tests=[AWL=-0.270, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jo8bsutMFR5Z; Thu, 28 Feb 2008 11:40:05 -0800 (PST)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3B8F53A6ADD; Thu, 28 Feb 2008 11:40:05 -0800 (PST)
X-Original-To: cga-ext@core3.amsl.com
Delivered-To: cga-ext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 982483A6ED0 for <cga-ext@core3.amsl.com>; Thu, 28 Feb 2008 11:40:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id irDYB3+17-De for <cga-ext@core3.amsl.com>; Thu, 28 Feb 2008 11:39:59 -0800 (PST)
Received: from el-out-1112.google.com (el-out-1112.google.com [209.85.162.176]) by core3.amsl.com (Postfix) with ESMTP id 0EED23A6ADD for <cga-ext@ietf.org>; Thu, 28 Feb 2008 11:39:58 -0800 (PST)
Received: by el-out-1112.google.com with SMTP id j27so4826776elf.25 for <cga-ext@ietf.org>; Thu, 28 Feb 2008 11:39:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=bM2a29yJk2RWh9A/1kB1RreaSkDH1yyUR0U1T7v0RJk=; b=vEqbuA8tOUVUoz/FrorIcJuT/UEXfaCZC7fUWxqUt/INotdfcP1EeGrXjoRTUlCbeojegfBrRlj8fnCmnsgclGu40R/EJiGZw4y78kh09Qw1VRC+eqOV7NW+ed7V2v7H3Ca1bRyDpf3FPPt9YFVsbniReXHGxyRt3EfLAmwdhrU=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=WMUqE8VSN+HTZ0ndg956wvupWmbnRaV5zmJQqgw7emH5JODOVaW3RSQS6stdqGlMRtzqHeA09lP6K/jjpDhNy5i+4X0/Ngp3wiczHBNxx/WUlL1gbkQ4lTashyB4VvxBaBU1ccetKkD0m8nIoRzP0c1aYP9TM0tA1u9v7jDNWYM=
Received: by 10.141.141.3 with SMTP id t3mr5837847rvn.213.1204227591011; Thu, 28 Feb 2008 11:39:51 -0800 (PST)
Received: by 10.70.110.5 with HTTP; Thu, 28 Feb 2008 11:39:50 -0800 (PST)
Message-ID: <18a603a60802281139x220a6227j24d9b0234c65b71b@mail.gmail.com>
Date: Thu, 28 Feb 2008 20:39:50 +0100
From: Pars Mutaf <pars.mutaf@gmail.com>
To: cga-ext@ietf.org
MIME-Version: 1.0
Content-Disposition: inline
Subject: [CGA-EXT] Hashed DAD
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: cga-ext-bounces@ietf.org
Errors-To: cga-ext-bounces@ietf.org
Hello, Below is a IMHO better protection against DAD DoS attack for SEND. It is very simple I won't bother you with a personal draft. :-) I hope the solution is OK. Regards, pars ========= Hashed duplicate address detection Abstract This document proposes a cheap defense against the Duplicate Address Detection (DAD) denial-of-service attack in IPv6. 1. Introduction Duplicate Address Detection (DAD) in IPv6 is vulnerable to a well-known Denial-of-Service attack. Each time the victim performs DAD on a tentative address, the attacker returns a positive response indicating that the address is already in use. This attack prevents the victim from configuring an IPv6 address. "Secure Neighbor Discovery counters this attack by requiring that the Neighbor Advertisements sent as responses to DAD include an RSA Signature option and proof of authorization to use the interface identifier in the address being tested. If these prerequisites are not met, the node performing DAD discards the responses." [SEND] This solution leads to unnecessary energy consumption for signature/verification and generating larger packets including an RSA signature option. An attacker may be able to force a victim to continuously use this solution and consume more energy than it would using insecure DAD. This document proposes an alternative solution which is computationally cheap and does not require the modification of the neighbor advertisement packet. 2. Hashed duplicate address detection In the proposed solution, the node performing DAD on its tentative address, computes a cryptographic hash of that address, and performs DAD for the result. Each node in the subnet, using the same hash function, computes the hash of its address and compares it to the hash result received from the node that performs DAD. Upon match, the target node returns a neighbor advertisement that contains its address (i.e. not the hash result but its real address). This proves that the target node has really configured that address. An attacker cannot know in advance which address is being tested. Consequently, the DAD denial-of-service attack is defeated. 3. Conclusion This document proposed a computationally cheap defense to the Duplicate Address Detection (DAD) denial-of-service attack. _______________________________________________ CGA-EXT mailing list CGA-EXT@ietf.org https://www.ietf.org/mailman/listinfo/cga-ext
- [CGA-EXT] Hashed DAD Pars Mutaf
- Re: [CGA-EXT] Hashed DAD Suresh Krishnan
- Re: [CGA-EXT] Hashed DAD Iljitsch van Beijnum
- Re: [CGA-EXT] Hashed DAD Suresh Krishnan
- Re: [CGA-EXT] Hashed DAD Iljitsch van Beijnum
- Re: [CGA-EXT] Hashed DAD Pars Mutaf
- Re: [CGA-EXT] Hashed DAD Suresh Krishnan
- Re: [CGA-EXT] Hashed DAD Pars Mutaf
- Re: [CGA-EXT] Hashed DAD marcelo bagnulo braun
- Re: [CGA-EXT] Hashed DAD Iljitsch van Beijnum
- Re: [CGA-EXT] Hashed DAD marcelo bagnulo braun