Re: [CGA-EXT] Hashed DAD
Suresh Krishnan <suresh.krishnan@ericsson.com> Thu, 28 February 2008 21:59 UTC
Return-Path: <cga-ext-bounces@ietf.org>
X-Original-To: ietfarch-cga-ext-archive@core3.amsl.com
Delivered-To: ietfarch-cga-ext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A88023A6D9A; Thu, 28 Feb 2008 13:59:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.254
X-Spam-Level:
X-Spam-Status: No, score=-1.254 tagged_above=-999 required=5 tests=[AWL=-1.417, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, J_CHICKENPOX_13=0.6, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7GaT42s0Trmr; Thu, 28 Feb 2008 13:59:04 -0800 (PST)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7FFDA3A69A2; Thu, 28 Feb 2008 13:59:04 -0800 (PST)
X-Original-To: cga-ext@core3.amsl.com
Delivered-To: cga-ext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D07B93A69A2 for <cga-ext@core3.amsl.com>; Thu, 28 Feb 2008 13:59:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JQEPLM9WqaK3 for <cga-ext@core3.amsl.com>; Thu, 28 Feb 2008 13:58:57 -0800 (PST)
Received: from imr2.ericy.com (imr2.ericy.com [198.24.6.3]) by core3.amsl.com (Postfix) with ESMTP id 426833A690B for <cga-ext@ietf.org>; Thu, 28 Feb 2008 13:58:57 -0800 (PST)
Received: from eusrcmw750.eamcs.ericsson.se (eusrcmw750.exu.ericsson.se [138.85.77.50]) by imr2.ericy.com (8.13.1/8.13.1) with ESMTP id m1SLwlmh026907; Thu, 28 Feb 2008 15:58:49 -0600
Received: from eusrcmw751.eamcs.ericsson.se ([138.85.77.51]) by eusrcmw750.eamcs.ericsson.se with Microsoft SMTPSVC(6.0.3790.1830); Thu, 28 Feb 2008 15:58:45 -0600
Received: from [142.133.10.140] ([142.133.10.140]) by eusrcmw751.eamcs.ericsson.se with Microsoft SMTPSVC(6.0.3790.1830); Thu, 28 Feb 2008 15:58:44 -0600
Message-ID: <47C72E84.9010000@ericsson.com>
Date: Thu, 28 Feb 2008 16:58:28 -0500
From: Suresh Krishnan <suresh.krishnan@ericsson.com>
User-Agent: Thunderbird 2.0.0.6 (X11/20071022)
MIME-Version: 1.0
To: Pars Mutaf <pars.mutaf@gmail.com>
References: <18a603a60802281139x220a6227j24d9b0234c65b71b@mail.gmail.com>
In-Reply-To: <18a603a60802281139x220a6227j24d9b0234c65b71b@mail.gmail.com>
X-OriginalArrivalTime: 28 Feb 2008 21:58:44.0739 (UTC) FILETIME=[16714530:01C87A55]
Cc: cga-ext@ietf.org
Subject: Re: [CGA-EXT] Hashed DAD
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: cga-ext-bounces@ietf.org
Errors-To: cga-ext-bounces@ietf.org
Hi Pars, There are not much details to go on, but I can already see that there are a couple of issues with this approach. * It works only if ALL NODES in the network support your upgraded specification, since if there is even one unupgraded node it will destroy your scheme. This makes this proposal a non-starter. * Even on a theoretical note, it is pretty simple to defeat. This is an example exchange. Let's say there are two nodes A (the nice node) and M(the malicious node). A owns the address X. a) A sends a DAD NS for Hash(X) b) M gets this message c) M sends a DAD NS for Hash(X) d) A responds to M with the original address X e) M can now defend the address X since he knows it Cheers Suresh Pars Mutaf wrote: > Hello, > > Below is a IMHO better protection against DAD DoS attack for > SEND. It is very simple I won't bother you with a personal draft. :-) > I hope the solution is OK. > > Regards, > pars > > > > ========= > > Hashed duplicate address detection > > > Abstract > > This document proposes a cheap defense against the > Duplicate Address Detection (DAD) denial-of-service attack in IPv6. > > 1. Introduction > > Duplicate Address Detection (DAD) in IPv6 is vulnerable to a well-known > Denial-of-Service attack. Each time the victim performs DAD on a > tentative address, the attacker returns a positive response indicating > that the address is already in use. This attack prevents the victim > from configuring an IPv6 address. > > "Secure Neighbor Discovery counters this attack by requiring that the > Neighbor Advertisements sent as responses to DAD include an RSA > Signature option and proof of authorization to use the interface > identifier in the address being tested. If these prerequisites are not > met, the node performing DAD discards the responses." [SEND] > > This solution leads to unnecessary energy consumption for > signature/verification and generating larger packets including an RSA > signature option. An attacker may be able to force a victim to > continuously use this solution and consume more energy than it would > using insecure DAD. > > This document proposes an alternative solution which is computationally > cheap and does not require the modification of the neighbor > advertisement packet. > > > 2. Hashed duplicate address detection > > In the proposed solution, the node performing DAD on its tentative > address, computes a cryptographic hash of that address, and performs DAD > for the result. > > Each node in the subnet, using the same hash function, computes the hash > of its address and compares it to the hash result received from the node > that performs DAD. Upon match, the target node returns a neighbor > advertisement that contains its address (i.e. not the hash result but its > real address). This proves that the target node has really configured > that address. > > An attacker cannot know in advance which address is being tested. > Consequently, the DAD denial-of-service attack is defeated. > > 3. Conclusion > > This document proposed a computationally cheap defense to the Duplicate > Address Detection (DAD) denial-of-service attack. > _______________________________________________ > CGA-EXT mailing list > CGA-EXT@ietf.org > https://www.ietf.org/mailman/listinfo/cga-ext _______________________________________________ CGA-EXT mailing list CGA-EXT@ietf.org https://www.ietf.org/mailman/listinfo/cga-ext
- [CGA-EXT] Hashed DAD Pars Mutaf
- Re: [CGA-EXT] Hashed DAD Suresh Krishnan
- Re: [CGA-EXT] Hashed DAD Iljitsch van Beijnum
- Re: [CGA-EXT] Hashed DAD Suresh Krishnan
- Re: [CGA-EXT] Hashed DAD Iljitsch van Beijnum
- Re: [CGA-EXT] Hashed DAD Pars Mutaf
- Re: [CGA-EXT] Hashed DAD Suresh Krishnan
- Re: [CGA-EXT] Hashed DAD Pars Mutaf
- Re: [CGA-EXT] Hashed DAD marcelo bagnulo braun
- Re: [CGA-EXT] Hashed DAD Iljitsch van Beijnum
- Re: [CGA-EXT] Hashed DAD marcelo bagnulo braun