Re: [CGA-EXT] Hashed DAD
marcelo bagnulo braun <marcelo@it.uc3m.es> Fri, 29 February 2008 10:24 UTC
Return-Path: <cga-ext-bounces@ietf.org>
X-Original-To: ietfarch-cga-ext-archive@core3.amsl.com
Delivered-To: ietfarch-cga-ext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 48A623A6838; Fri, 29 Feb 2008 02:24:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.102
X-Spam-Level: *
X-Spam-Status: No, score=1.102 tagged_above=-999 required=5 tests=[AWL=-1.298, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RCVD_BAD_ID=2.837, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yK0ziQSYebZp; Fri, 29 Feb 2008 02:24:39 -0800 (PST)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E04B03A6A0E; Fri, 29 Feb 2008 02:24:39 -0800 (PST)
X-Original-To: cga-ext@core3.amsl.com
Delivered-To: cga-ext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1AD7E28C21F for <cga-ext@core3.amsl.com>; Fri, 29 Feb 2008 02:24:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tu2n06555rvJ for <cga-ext@core3.amsl.com>; Fri, 29 Feb 2008 02:24:32 -0800 (PST)
Received: from smtp03.uc3m.es (smtp03.uc3m.es [163.117.176.133]) by core3.amsl.com (Postfix) with ESMTP id 3EB7C3A6A0E for <cga-ext@ietf.org>; Fri, 29 Feb 2008 02:24:31 -0800 (PST)
Received: from [222.128.247.44] (unknown [222.128.247.44])(using TLSv1 with cipher AES128-SHA (128/128 bits))(No client certificate requested)by smtp03.uc3m.es (Postfix) with ESMTP id 07CCD332EB3;Fri, 29 Feb 2008 11:24:21 +0100 (CET)
Message-Id: <900C022E-9139-467E-A5E5-C6D73B08176F@it.uc3m.es>
From: marcelo bagnulo braun <marcelo@it.uc3m.es>
To: Iljitsch van Beijnum <iljitsch@muada.com>
In-Reply-To: <E896F618-BCD9-4E32-8A74-C2168055DFEB@muada.com>
Mime-Version: 1.0 (Apple Message framework v919.2)
Date: Fri, 29 Feb 2008 11:24:19 +0100
References: <18a603a60802281139x220a6227j24d9b0234c65b71b@mail.gmail.com> <47C72E84.9010000@ericsson.com> <21624D6A-0093-4E5C-96ED-BDF5C33164F9@it.uc3m.es> <E896F618-BCD9-4E32-8A74-C2168055DFEB@muada.com>
X-Mailer: Apple Mail (2.919.2)
X-imss-version: 2.050
X-imss-result: Passed
X-imss-scanInfo: M:B L:E SM:2
X-imss-tmaseResult: TT:1 TS:-22.7290 TC:02 TRN:51 TV:5.0.1023(15758.003)
X-imss-scores: Clean:100.00000 C:0 M:0 S:0 R:0
X-imss-settings: Baseline:1 C:1 M:1 S:1 R:1 (0.0000 0.0000)
Cc: cga-ext@ietf.org
Subject: Re: [CGA-EXT] Hashed DAD
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: cga-ext-bounces@ietf.org
Errors-To: cga-ext-bounces@ietf.org
El 29/02/2008, a las 10:59, Iljitsch van Beijnum escribió: > On 29 feb 2008, at 7:06, marcelo bagnulo braun wrote: > >> Actually, i think that there would be possible a simpler mechanism to >> achieve similar level of protection with a similar cost to the one >> that is being proposed by Pars, and it is basically veryfying that >> the >> address corresponds to the CGA PDS contained in the CGA option >> defined by SeND. > > [...] > > Wouldn't this be vulnerable to bidding down attacks? The malicious > host could just claim to not understand the new options. > but this is already the case in all the send protocol i mean, in order to enable backward compatibility you need to deal with hosts that don't understand the protocol and then you may have bidding down attacks. The solution for this is that the host need to figure out what to do. Either it only believes send messages and is secure but may not be able to communicate with legacy nodes or it does trust non send messages and he may be vulnerable to bidding down attacks (At least that how i understand this, please correct me if i am wrong) > Also, wouldn't a host that claims to have an address be right by > definition? I.e., If I want to prevent you from using your new > address, I can simply configure the same address and this will > certainly confuse the link layer enough to make it very hard for you > to use the address, even if SEND can help you "defend" it against > network layer attacks. but in this case, the host can protect itself by only accepting send protected messages > > > Maybe a useful heuristic would be to trust the first 3 DAD failures > with a node with a given link layer address and after that, simply > ignore DAD failures with that link layer address. or only trust send protected messages regards, marcelo > Either the node holding that link layer address is just targeting > DAD and you'll be able to use the address, or they're really out to > get you at layer 2 and no amount of DAD is going to help. _______________________________________________ CGA-EXT mailing list CGA-EXT@ietf.org https://www.ietf.org/mailman/listinfo/cga-ext
- [CGA-EXT] Hashed DAD Pars Mutaf
- Re: [CGA-EXT] Hashed DAD Suresh Krishnan
- Re: [CGA-EXT] Hashed DAD Iljitsch van Beijnum
- Re: [CGA-EXT] Hashed DAD Suresh Krishnan
- Re: [CGA-EXT] Hashed DAD Iljitsch van Beijnum
- Re: [CGA-EXT] Hashed DAD Pars Mutaf
- Re: [CGA-EXT] Hashed DAD Suresh Krishnan
- Re: [CGA-EXT] Hashed DAD Pars Mutaf
- Re: [CGA-EXT] Hashed DAD marcelo bagnulo braun
- Re: [CGA-EXT] Hashed DAD Iljitsch van Beijnum
- Re: [CGA-EXT] Hashed DAD marcelo bagnulo braun