IETF Logo Mail Archive

Re: [CGA-EXT] Hashed DAD

marcelo bagnulo braun <marcelo@it.uc3m.es> Fri, 29 February 2008 09:45 UTC

Return-Path: <cga-ext-bounces@ietf.org>
X-Original-To: ietfarch-cga-ext-archive@core3.amsl.com
Delivered-To: ietfarch-cga-ext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8FEB028C983; Fri, 29 Feb 2008 01:45:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.262
X-Spam-Level:
X-Spam-Status: No, score=0.262 tagged_above=-999 required=5 tests=[AWL=-2.782, BAYES_00=-2.599, DATE_IN_PAST_03_06=0.044, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, J_CHICKENPOX_13=0.6, RCVD_BAD_ID=2.837, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MKFeddY0k9RP; Fri, 29 Feb 2008 01:45:53 -0800 (PST)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8682928C9A4; Fri, 29 Feb 2008 01:45:53 -0800 (PST)
X-Original-To: cga-ext@core3.amsl.com
Delivered-To: cga-ext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6E8D528C993 for <cga-ext@core3.amsl.com>; Fri, 29 Feb 2008 01:45:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WqGmYan5T9zZ for <cga-ext@core3.amsl.com>; Fri, 29 Feb 2008 01:45:46 -0800 (PST)
Received: from smtp03.uc3m.es (smtp03.uc3m.es [163.117.176.133]) by core3.amsl.com (Postfix) with ESMTP id 49C4928C9BD for <cga-ext@ietf.org>; Fri, 29 Feb 2008 01:45:44 -0800 (PST)
Received: from [222.128.247.44] (unknown [222.128.247.44])(using TLSv1 with cipher AES128-SHA (128/128 bits))(No client certificate requested)by smtp03.uc3m.es (Postfix) with ESMTP id 74F4F330D10;Fri, 29 Feb 2008 10:45:33 +0100 (CET)
Message-Id: <21624D6A-0093-4E5C-96ED-BDF5C33164F9@it.uc3m.es>
From: marcelo bagnulo braun <marcelo@it.uc3m.es>
To: Suresh Krishnan <suresh.krishnan@ericsson.com>
In-Reply-To: <47C72E84.9010000@ericsson.com>
Mime-Version: 1.0 (Apple Message framework v919.2)
Date: Fri, 29 Feb 2008 07:06:46 +0100
References: <18a603a60802281139x220a6227j24d9b0234c65b71b@mail.gmail.com> <47C72E84.9010000@ericsson.com>
X-Mailer: Apple Mail (2.919.2)
X-imss-version: 2.050
X-imss-result: Passed
X-imss-scanInfo: M:B L:E SM:2
X-imss-tmaseResult: TT:1 TS:-31.9280 TC:1F TRN:85 TV:5.0.1023(15758.003)
X-imss-scores: Clean:100.00000 C:0 M:0 S:0 R:0
X-imss-settings: Baseline:1 C:1 M:1 S:1 R:1 (0.0000 0.0000)
Cc: cga-ext@ietf.org
Subject: Re: [CGA-EXT] Hashed DAD
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: cga-ext-bounces@ietf.org
Errors-To: cga-ext-bounces@ietf.org

Hi,

El 28/02/2008, a las 22:58, Suresh Krishnan escribió:

> Hi Pars,
>   There are not much details to go on, but I can already see that  
> there
> are a couple of issues with this approach.
>
> * It works only if ALL NODES in the network support your upgraded
> specification, since if there is even one unupgraded node it will
> destroy your scheme. This makes this proposal a non-starter.
>

right, your point is that if you simply substitute the address by a  
hash then you change the semantics of the address field in the NA so  
it would break the protocol

In order to solve this problem an approach similar to SeND is needed,  
i.e. to keep the original address and add some additional information  
that can be processed by upgraded nodes if they support the new  
security mechanism, right?


Actually, i think that there would be possible a simpler mechanism to  
achieve similar level of protection with a similar cost to the one  
that is being proposed by Pars, and it is basically veryfying that the  
address corresponds to the CGA PDS contained in the  CGA option  
defined by SeND.

I mean, by performing only this verification (and not the one of the  
signature) it would be impossible for a host to respond to the DAD for  
an address it does not know the CGA PDS. So essentially it would  
result in a similar protection to the one proposed by PArs, with the  
similar verification cost, i.e. performing a hash computation for the  
verification. Not only that, but is also would be more backward  
compatible, in the sense that a host that not supports send can just  
omit the CGA option processing

However, this still has the second problem identified by Suresh, that  
is that basically, if an attacker can learn the CGA PDS, it will be  
able to launch the DoS attack for that address. This basically means  
that the host can defend the address the first tim it has generated  
the address, but after that, if it want to reuse it, it will be  
vulnerable to the DOS attack, cause the potential attackers could have  
learnt the associated CGA PDS

So, i guess this could be cheaper, but also weaker. The only  
application of such approach that i can think that makes sense is for  
Privacy addresses, where you are likely to use the address a reduced  
amount of time, and you may want to use tdifferent addresses  
frequently, so, maybe it makes sense this tradeoff i.e. lower  
processing for the defense (since you will be doing this many times  
each time a new privacy address is generated) and you can only defend  
the address efectively the first time you use it (if this is a privacy  
address, you will probably use it only for a short while)

but, maybe it just too much of a corner case to be worth it

in any case, it is an interesting exercise

regards, marcelo


> * Even on a theoretical note, it is pretty simple to defeat.
> This is an example exchange. Let's say there are two nodes A (the nice
> node) and M(the malicious node). A owns the address X.
>
> a) A sends a DAD NS for Hash(X)
> b) M gets this message
> c) M sends a DAD NS for Hash(X)
> d) A responds to M with the original address X
> e) M can now defend the address X since he knows it
>
> Cheers
> Suresh
>
> Pars Mutaf wrote:
>> Hello,
>>
>> Below is a IMHO better protection against DAD DoS attack for
>> SEND.  It is very simple I won't bother you with a personal  
>> draft. :-)
>> I hope the solution is OK.
>>
>> Regards,
>> pars
>>
>>
>>
>> =========
>>
>>                     Hashed duplicate address detection
>>
>>
>> Abstract
>>
>>   This document proposes a cheap defense against the
>>   Duplicate Address Detection (DAD) denial-of-service attack in IPv6.
>>
>> 1. Introduction
>>
>>   Duplicate Address Detection (DAD) in IPv6 is vulnerable to a well- 
>> known
>>   Denial-of-Service attack. Each time the victim performs DAD on a
>>   tentative address, the attacker returns a positive response  
>> indicating
>>   that the address is already in use. This attack prevents the victim
>>   from configuring an IPv6 address.
>>
>>   "Secure Neighbor Discovery counters this attack by requiring that  
>> the
>>   Neighbor Advertisements sent as responses to DAD include an RSA
>>   Signature option and proof of authorization to use the interface
>>   identifier in the address being tested.  If these prerequisites  
>> are not
>>   met, the node performing DAD discards the responses." [SEND]
>>
>>   This solution leads to unnecessary energy consumption for
>>   signature/verification and generating larger packets including an  
>> RSA
>>   signature option. An attacker may be able to force a victim to
>>   continuously use this solution and consume more energy than it  
>> would
>>   using insecure DAD.
>>
>>   This document proposes an alternative solution which is  
>> computationally
>>   cheap and does not require the modification of the neighbor
>>   advertisement packet.
>>
>>
>> 2. Hashed duplicate address detection
>>
>>   In the proposed solution, the node performing DAD on its tentative
>>   address, computes a cryptographic hash of that address, and  
>> performs DAD
>>   for the result.
>>
>>   Each node in the subnet, using the same hash function, computes  
>> the hash
>>   of its address and compares it to the hash result received from  
>> the node
>>   that performs DAD. Upon match, the target node returns a neighbor
>>   advertisement that contains its address (i.e. not the hash result  
>> but its
>>   real address). This proves that the target node has really  
>> configured
>>   that address.
>>
>>   An attacker cannot know in advance which address is being tested.
>>   Consequently, the DAD denial-of-service attack is defeated.
>>
>> 3. Conclusion
>>
>>   This document proposed a computationally cheap defense to the  
>> Duplicate
>>   Address Detection (DAD) denial-of-service attack.
>> _______________________________________________
>> CGA-EXT mailing list
>> CGA-EXT@ietf.org
>> https://www.ietf.org/mailman/listinfo/cga-ext
>
> _______________________________________________
> CGA-EXT mailing list
> CGA-EXT@ietf.org
> https://www.ietf.org/mailman/listinfo/cga-ext

_______________________________________________
CGA-EXT mailing list
CGA-EXT@ietf.org
https://www.ietf.org/mailman/listinfo/cga-ext

v2.23.0 | Report a Bug | By Email