Re: [Mip6] RR protocol
Jianying Zhou <jyzhou@i2r.a-star.edu.sg> Tue, 02 November 2004 08:06 UTC
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id DAA24384 for <mip6-web-archive@ietf.org>; Tue, 2 Nov 2004 03:06:40 -0500 (EST)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1COtvk-0002u8-Er for mip6-web-archive@ietf.org; Tue, 02 Nov 2004 03:22:16 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1COta2-0005yJ-G1; Tue, 02 Nov 2004 02:59:50 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1COtVN-0003z6-7X for mip6@megatron.ietf.org; Tue, 02 Nov 2004 02:55:02 -0500
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id CAA23355 for <mip6@ietf.org>; Tue, 2 Nov 2004 02:55:00 -0500 (EST)
Received: from rodin.i2r.a-star.edu.sg ([192.122.139.27] helo=i2r.a-star.edu.sg) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1COtkQ-0002fm-K2 for mip6@ietf.org; Tue, 02 Nov 2004 03:10:35 -0500
Received: from newmailhost (localhost [127.0.0.1]) by i2r.a-star.edu.sg (8.12.10/8.12.10) with ESMTP id iA27smCE011704 for <mip6@ietf.org>; Tue, 2 Nov 2004 15:54:48 +0800 (SGT)
Received: from i2r.a-star.edu.sg ([192.168.137.229]) by mailhost.lit.org.sg (iPlanet Messaging Server 5.2 Patch 1 (built Aug 19 2002)) with ESMTP id <0I6J0084YKNJHF@mailhost.lit.org.sg> for mip6@ietf.org; Tue, 02 Nov 2004 15:54:55 +0800 (SGT)
Date: Tue, 02 Nov 2004 15:56:22 +0800
From: Jianying Zhou <jyzhou@i2r.a-star.edu.sg>
Subject: Re: [Mip6] RR protocol
To: Christian Vogt <chvogt@tm.uka.de>
Message-id: <41873DA6.8030103@i2r.a-star.edu.sg>
MIME-version: 1.0
Content-type: text/plain; charset="us-ascii"; format="flowed"
Content-transfer-encoding: 7bit
X-Accept-Language: en-us, en
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0
References: <4148080E.10009@i2r.a-star.edu.sg> <41481E0B.6000904@kolumbus.fi> <417FB0DA.80207@tm.uka.de>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: a7d2e37451f7f22841e3b6f40c67db0f
Content-Transfer-Encoding: 7bit
Cc: Jari Arkko <jari.arkko@kolumbus.fi>, qiuying@i2r.a-star.edu.sg, robertdeng@smu.edu.sg, mip6@ietf.org
X-BeenThere: mip6@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: mip6.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/mip6>, <mailto:mip6-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:mip6@ietf.org>
List-Help: <mailto:mip6-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/mip6>, <mailto:mip6-request@ietf.org?subject=subscribe>
Sender: mip6-bounces@ietf.org
Errors-To: mip6-bounces@ietf.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 5ebbf074524e58e662bc8209a6235027
Content-Transfer-Encoding: 7bit
Hi, Christian, Thank you very much for your comments. Our feedback is as follows. > My first comment is on movement-halting attacks (section 3.2). I agree > that an attack like this is possible. Actually, this is what [2] calls > a "time-shift attack": get a token at one time and use it at another > time. Note that the movement-halting attack can be even simpler than > the one you describe in your draft. Since you assume that the MN moves > rapidly enough such that the previous Care-of Keygen Token is still > valid when the MN is at its new place, it wouldn't surprise if the > previous Home Keygen Token is still fresh as well. So, the attacker > could even use both tokens from the previous RR in order to redirect > the MN's packet back to the old CoA. Note that this attack is simpler > for the attacker to accomplish than the attack in your draft: Here, > the attacker does not need to follow the MN to the new location. In > your draft, it needs to. =========== It depends on how the attacker is positioned. If the attacker can intercept both HoT and CoT in a single RR session, your attack on the original RR protocol works. (However, based on the RR design assumption, it occurs less likely.) In our attacking scenario, the attacker could intercept HoT and CoT in different RR sessions. Our improvement prevents the attack in both your scenario and our our scenario. HoT and CoT are all linked to specific HoA and CoA, and they cannot be used to forge valid binding updates with other HoA and CoA. (Note CN will use HoA and CoA etc. to re-calculate KTh and KTc.) ========= > Second, traffic-permutation attacks. This kind of attack is > interesting. It's a variation of the attack where the perpetrator > redirects a MN's (or a stationary node's) packets to a random IP > address (section 3.1.5 of [2]). But note that it is well-known that RR > is vulnerable to an attacker inside the CN's network (more precisely: > somewhere on the intersection of all paths between the CN and one of > the victims). The attacker can impersonate any other node in this > position, and it can redirect other nodes' packets to any IP address. > One way of doing this is the method you describe in your draft. > (Although I don't quite understand why the CN would accept a spoofed > Binding Update only with probability 1/4. The probability should be > 1.0 unless you consider things like nonce-lifetime expiration...) ========= If an attacker uses CoA_i and CoA_j, or HoA_i and HoA_j, or HoA_i and CoA_j (in this order) to generate MACbu, the attack will fail. As the attacker will select them randomly, the probability of success to forge a valid binding update is 1/4, that is only using CoA_i and HoA_j. (CN will use this ordered information to re-calculate KTc and KTh in binding update verification.) With our improvement, the traffic-permutation attack could be prevented. ========= > Ok, my last comment is on your improvement proposal. Your > argumentation is interesting, but I am not sure about the benefit your > proposal has. Consider that, at some point, an attacker must do > something actively. There is no passive attack against the RR except > dropping messages. And we know that RR is vulnerable to an attacker on > the path between the CN and the MN's HA (section 3.1.1 of [2]). In > this position, the attacker can send its own HoTI with the victim's > HoA (and, if we apply your proposed improvement, with a CoA that the > attacker chooses). Due to its position, the attacker can intercept the > HoT. The attacker would then send a CoTI, again with the victim's HoA > (and, if we follow your proposal, the chosen CoA). The attacker must > send the CoTI from a place where it can intercept the CoT. This attack > is possible in the RR as defined in RFC 3775, and it is still possible > with your approach. ========= If MN has bound CoA in HoT, then even if the attacker is on the path between the CN and the MN's HA and intercepts HoT, and further intercepts CoT on the path between the CN and CoA path, the attack still does not work. The same reason as explained in response to your first comment. (Note again, HoT, CoT, HoA, CoA are all linked in our improvement, any change of them will invalidate the binding update verification process.) ========= > I might be missing something. If so, don't hesitate to tell me. ;-) > > Bye, see you in Washington D.C... Look forward to seeing you in Washington DC next week. Cheers. Jianying > - Christian > > > [1] Improvement of Return Routability Protocol > draft-qiu-mip6-rr-improvement-00.txt > > [2] Mobile IP version 6 Route Optimization Security Design Background > draft-ietf-mip6-ro-sec-02.txt > _______________________________________________ Mip6 mailing list Mip6@ietf.org https://www1.ietf.org/mailman/listinfo/mip6
- Re: [Mip6] RR protocol Christian Vogt
- Re: [Mip6] RR protocol Jianying Zhou