Re: [dtn-interest] Re: [ltp] draft-irtf-dtnrg-ltp-extensions-00

[Wesley Eddy <weddy@grc.nasa.gov>]

I will not publicly respond further in this thread.  I think this and
previous messages make my point abundantly clear.  I will continue
discussion offlist, if you'd wish.  Here are some final responses:

On Mon, Feb 07, 2005 at 06:06:32PM +0000, Stephen Farrell wrote:
> 
> >>I can't understand why you continue to ignore the following:
> >>
> >>  Running LTP over a radio link leaves open potential DoS and
> >>  other directed attacks which are worse than jamming and
> >>  many, in fact, almost all, of the practical options for such
> >>  links (802.11b/WEP,BT,GSM) suffer from known security problems.
> 
> I take it you accept this then?
>


No I don't.  I haven't seen any threat model that presents why LTP
should attempt to operate over clearly compromised links.  A sane LTP
implementation can't be effectively DoSed, in any case.

 
 
> I guess my experience tells me that authentication support is a
> requirement for pretty much all protocols. Isn't that also a very
> reasonable guideline?


No.  Authentication is not a requirement (or even a desirable feature)
for a large (and important) set of network uses, eg casual web browsing.


> > Applying
> >this to authentication mechanisms in LTP ... the mere presence of an
> >attacker on a link indicates that it is no longer point-to-point.
> 
> Hang on. Your initial argument against LTP authentication was that
> it could be done by a link layer, and you mentioned GSM/GPRS & BT.
> Now, you seem to be saying that such cases are out of scope.
> So which is it?


I don't follow your question.  I've always said that authentication does
not belong in LTP and that lower (and upper) layers can do this just
fine.  Several rather useful transport protocols (TCP, UDP, DCCP, etc)
exist without any cryptographic authentication mechanisms.  When these
have been needed, they've been provided at other layers.

 
> >Authentication mechanisms in LTP would attempt to maintain a semblance
> >of the designed-for precondition of point-to-pointedness over a
> >compromised link.  
> 
> Not at all. Authentication mechanisms allow an LTP peer to detect
> segment modification/insertion which is possible in the cases
> mentioned.


In which case an attacker would just fully utilize the link with noise.
With or without authentication, LTP can get no useful work done once the
link is compromised.


> > Except for being futile, this is not a bad goal, only
> >somewhat out of scope, given the current lack of a lucid description of
> >even a single use case where an attacker would wish to forge LTP
> >segments.
> 
> Hyperbole again. Honestly, it doesn't help me understand you.


Disagree.

 
> >If particular applications are worried about being attacked by bogus
> >data, then they'll surely have their own end-to-end methods of
> >authenitcating data.  
> 
> I already responded a couple of time wrt the multiple layers
> where security is appropriate I guess.


No one is arguing about the virtues of a multi-layered approach.  We've
all read Saltzer, Reed, & Clark.  What we're talking about here is what
layers a specific feature has merits at.

 
> > LTP need not protect them.  The worst thing, it
> >seems, that an attacker could really do is waste capacity at additional
> >links by spoofing segments that an upper layer would decide to route
> >onwards.  
> 
> DoS is a killer for basically any unattended host, regardless of
> the layer at which it occurs. Turns out that all our experience
> shows that almost all complex systems have DoS opportunities
> all over the place.

LTP itself cannot be DoSed.  There are no resources there, aside from the
segment buffers.  Forcing segment buffers to be maintained indefinitely
is possible with or without an LTP-based authentication scheme.
Resistance is futile.

-Wes

-- 
Wesley M. Eddy
NASA GRC / Verizon FNS
http://roland.grc.nasa.gov/~weddy