IETF Logo Mail Archive

Re: [Mip6] comments on draft-vogt-mip6-early-binding-updates-00

"Mohan Parthasarathy" <mohanp@sbcglobal.net> Mon, 08 March 2004 18:04 UTC

Received: from optimus.ietf.org (optimus.ietf.org [132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA17322 for <mip6-archive@odin.ietf.org>; Mon, 8 Mar 2004 13:04:23 -0500 (EST)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1B0P6a-0003KT-Vx for mip6-archive@odin.ietf.org; Mon, 08 Mar 2004 13:03:57 -0500
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i28I3uZN012796 for mip6-archive@odin.ietf.org; Mon, 8 Mar 2004 13:03:56 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1B0P6a-0003KJ-Po for mip6-web-archive@optimus.ietf.org; Mon, 08 Mar 2004 13:03:56 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA17284 for <mip6-web-archive@ietf.org>; Mon, 8 Mar 2004 13:03:52 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1B0P6Y-0003OZ-00 for mip6-web-archive@ietf.org; Mon, 08 Mar 2004 13:03:54 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1B0P5Y-0003FH-00 for mip6-web-archive@ietf.org; Mon, 08 Mar 2004 13:02:53 -0500
Received: from optimus.ietf.org ([132.151.1.19]) by ietf-mx with esmtp (Exim 4.12) id 1B0P50-00035q-00 for mip6-web-archive@ietf.org; Mon, 08 Mar 2004 13:02:18 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1B0P4j-00035z-Iw; Mon, 08 Mar 2004 13:02:01 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1B0P4W-00035G-5X for mip6@optimus.ietf.org; Mon, 08 Mar 2004 13:01:48 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA17133 for <mip6@ietf.org>; Mon, 8 Mar 2004 13:01:43 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1B0P4U-00034I-00 for mip6@ietf.org; Mon, 08 Mar 2004 13:01:46 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1B0P3b-0002v9-00 for mip6@ietf.org; Mon, 08 Mar 2004 13:00:51 -0500
Received: from smtp810.mail.sc5.yahoo.com ([66.163.170.80]) by ietf-mx with smtp (Exim 4.12) id 1B0P2k-0002la-00 for mip6@ietf.org; Mon, 08 Mar 2004 12:59:58 -0500
Received: from unknown (HELO adithya) (mohanp@sbcglobal.net@192.103.17.134 with login) by smtp810.mail.sc5.yahoo.com with SMTP; 8 Mar 2004 17:59:57 -0000
Message-ID: <009101c40537$2c4472c0$861167c0@adithya>
From: Mohan Parthasarathy <mohanp@sbcglobal.net>
To: Christian Vogt <chvogt@tm.uka.de>
Cc: Francis Dupont <Francis.Dupont@enst-bretagne.fr>, Jari Arkko <jari.arkko@kolumbus.fi>, Erik Nordmark <Erik.Nordmark@sun.com>, mip6@ietf.org
References: <200403040804.i2484sSj064874@givry.rennes.enst-bretagne.fr> <00f001c40257$854553e0$6401a8c0@adithya> <02dd01c4046b$c24dd8f0$5347038d@tm.unikarlsruhe.de>
Subject: Re: [Mip6] comments on draft-vogt-mip6-early-binding-updates-00
Date: Mon, 08 Mar 2004 09:59:59 -0800
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by ietf.org id NAA17134
Sender: mip6-admin@ietf.org
Errors-To: mip6-admin@ietf.org
X-BeenThere: mip6@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/mip6>, <mailto:mip6-request@ietf.org?subject=unsubscribe>
List-Id: <mip6.ietf.org>
List-Post: <mailto:mip6@ietf.org>
List-Help: <mailto:mip6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mip6>, <mailto:mip6-request@ietf.org?subject=subscribe>
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.1 required=5.0 tests=AWL,SUBJ_HAS_UNIQ_ID autolearn=no version=2.60
Content-Transfer-Encoding: quoted-printable
Content-Transfer-Encoding: quoted-printable


> > I don't think that the reason that EBU just limits
> > the attack to a very small amount of time is good
> > enough as the attacker just have to send a lot more
> > EBUs for it to increase the magnitude.
>
>
> Hi Mohan,
>
> I agree that solely limiting the time during which data packets can be sent to an unverified care-of address - i.e., a care-of
address for which a care-of-address test has not yet been accomplished - is insufficient to prevent flooding attacks. For this
reason, Early Binding Updates apply a mechanism, Credit-Based Authorization, to ensure that the data volume sent to a mobile node at
an unverified care-of address is limited by the effort which the mobile node has recently spent while its care-of address was
verified.
>
> I gave a presentation of Credit-Based Authorization during the MOBOPTS-Session of the 59th IETF meeting. The mechanism will be
detailed in the next version of the Internet-Draft on Early Binding Updates.
>
Ok. By limiting the amount of data sent during the "unverified care-of-address" window, you
still want it to be useful for applications that wanted to use EBU. Not knowing the details, i will
wait for your next version of the draft.

-mohan

> Kind regards,
>
>
> - Christian
>
>
> |
> | Christian Vogt
> | Institute of Telematics, University of Karlsruhe (TH)
> | www.tm.uka.de/~chvogt/
> |
>
>
> Mohan Parthasarathy wrote:
> > Francis,
> >
> > I am trying to understand your argument better..
> >
> >> In your previous mail you wrote:
> >>
> >>    But what we in my opinion
> >>    should prevent is the amplification, not pure reflection.
> >>
> >> => this is the detail we disagree: if we prevent pure reflection,
> >> we prevent this attack and all others using the same hole but
> >> which are *reality*, not speculations.
> >>
> >>    I mean if you have ingress filtering,
> >>
> >> => this is the only case which makes sense.
> >>
> >>    you might not even
> >>    be able to send the EBU to begin with, let alone spoofed ACKs.
> >>
> >>    However, we are in part trying to build these things so that the
> >>    lack of ingress filtering doesn't open up the situation for many
> >>    new attacks.
> >>
> >> => it doesn't matter to get new attacks, it does matter to get no new
> >> attacks which have a definitive advantage over current attacks, e.g.
> >> which defeat ingress filtering by hiding the source address...
> >>
> > I can see your point. Your point is about why would anyone use MIPv6
> > when
> > one can use plain IPv6 to launch the reflection attack. Using MIPv6
> > also has
> > a dis-advantage that it exposes the home address of the attacker. But
> > does it mean that we can design protocols with this vulnerability
> > expecting that ingress filtering will get deployed in the future
> > which will automatically solve this problem ? Then why do we have to
> > CoTI/CoT messages at all in
> > the base protocol ? Assume we ban the alternate care-of-address
> > option,
> > and also that ingress filtering will get deployed in the future, does
> > that mean CoT/CoTI is not needed at all ? I don't think that the
> > reason that
> > EBU just limits the attack to a very small amount of time is good
> > enough as the attacker just have to send a lot more EBUs for it to
> > increase the magnitude.
> >
> > -mohan
>
> 2*zT¨¥Sx%SËLSz¢z×è®m¶>?ÿ 0?ë_¢¸?T¨¥T©ÿ-+-Swèþh©


_______________________________________________
Mip6 mailing list
Mip6@ietf.org
https://www.ietf.org/mailman/listinfo/mip6

v2.23.0 | Report a Bug | By Email