A method to prevent DoS in IPv6 DAD and Mobile IPv6
Pekka Nikander <pekka.nikander@nomadiclab.com> Sun, 18 March 2001 11:20 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.9.3/8.9.3) with ESMTP id DAA26297; Sun, 18 Mar 2001 03:20:01 -0800 (PST)
Received: by lists.tislabs.com (8.9.1/8.9.1) id EAA27178 Sun, 18 Mar 2001 04:47:55 -0500 (EST)
Message-ID: <3AB47F98.A5CFEC6C@nomadiclab.com>
Date: Sun, 18 Mar 2001 11:27:52 +0200
From: Pekka Nikander <pekka.nikander@nomadiclab.com>
X-Mailer: Mozilla 4.75 [en] (Windows NT 5.0; U)
X-Accept-Language: en,fi
MIME-Version: 1.0
To: IPSEC Mailing List <ipsec@lists.tislabs.com>, IPNG Mailing List <ipng@sunroof.eng.sun.com>
Subject: A method to prevent DoS in IPv6 DAD and Mobile IPv6
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
A number of recent ID:s have shown a number of potential security deficiencies in the way IPsec is used in a number of IPv6 signalling functions, including Duplicate Address Detection (DAD) and Mobile IPv6 Binding Updates (BUs). The relevant drafts include the following. draft-arkko-icmpv6-ike-effects-00.txt draft-nikander-ipng-address-ownership-00.txt The so called PBK-keys (draft-bradner-pbk-frame-00.txt) attemts to solve the Mobile IPv6 related problem by proposing a new class of identifiers, EIDs. In some respects that approach is similar to the HIP approach. While thinking about the problem, an idea of using the IPv6 interface identifier as a cryptographic token appeared to me. That is, by generating the interface identifier from components using a cryptographic one-way function, one can "bind" the interface identifier to the components, and the base security on the components. The idea is very new, and comments are solicited. Currently a working copy of the forthcoming -00 drafts is available at http://www.tml.hut.fi/~pnr/publications/draft-nikander-ipng-pbk-addresses-00.txt I'll be working with the draft during my flights to Minneapolis, posting is as soon as drafts are accepted again. There is currently a plan to discuss related issues at the Mobile IP WG meeting and the SAAG session on Thursday. --Pekka Nikander Ericsson
- A method to prevent DoS in IPv6 DAD and Mobile IP… Pekka Nikander
- Re: A method to prevent DoS in IPv6 DAD and Mobil… gabriel montenegro