IETF Logo Mail Archive

Re: [Mip6] rr weaknesses?

"Christian Vogt" <chvogt@tm.uka.de> Mon, 16 February 2004 10:13 UTC

Received: from optimus.ietf.org (optimus.ietf.org [132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id FAA09433 for <mip6-archive@odin.ietf.org>; Mon, 16 Feb 2004 05:13:36 -0500 (EST)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AsfkS-0001ic-Oj for mip6-archive@odin.ietf.org; Mon, 16 Feb 2004 05:13:09 -0500
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i1GAD87j006604 for mip6-archive@odin.ietf.org; Mon, 16 Feb 2004 05:13:08 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AsfkS-0001iK-9u for mip6-web-archive@optimus.ietf.org; Mon, 16 Feb 2004 05:13:08 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id FAA09418 for <mip6-web-archive@ietf.org>; Mon, 16 Feb 2004 05:13:05 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1AsfkP-0000ai-00 for mip6-web-archive@ietf.org; Mon, 16 Feb 2004 05:13:05 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1AsfjR-0000XG-00 for mip6-web-archive@ietf.org; Mon, 16 Feb 2004 05:12:06 -0500
Received: from optimus.ietf.org ([132.151.1.19]) by ietf-mx with esmtp (Exim 4.12) id 1AsfiV-0000Sy-00 for mip6-web-archive@ietf.org; Mon, 16 Feb 2004 05:11:07 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AsfiP-0001cn-Hd; Mon, 16 Feb 2004 05:11:01 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AsfhZ-0001bT-6t for mip6@optimus.ietf.org; Mon, 16 Feb 2004 05:10:09 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id FAA09340 for <mip6@ietf.org>; Mon, 16 Feb 2004 05:10:05 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1AsfhV-0000NP-00 for mip6@ietf.org; Mon, 16 Feb 2004 05:10:05 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1AsfgV-0000Ix-00 for mip6@ietf.org; Mon, 16 Feb 2004 05:09:04 -0500
Received: from iramx1.ira.uni-karlsruhe.de ([141.3.10.80]) by ietf-mx with esmtp (Exim 4.12) id 1AsffX-0000C6-00 for mip6@ietf.org; Mon, 16 Feb 2004 05:08:03 -0500
Received: from i72ms2.tm.uni-karlsruhe.de ([141.3.70.17] helo=i72mail01.tm.uka.de) by iramx1.ira.uni-karlsruhe.de with esmtp (Exim 3.30 #10 (Debian)) id 1AsffO-0004KC-00; Mon, 16 Feb 2004 11:07:54 +0100
Received: from i72chvogt.tm.uni-karlsruhe.de ([141.3.71.83] helo=i72ChVogt) by i72mail01.tm.uka.de with esmtp (Exim 4.30) id 1AsffO-0004RD-4L; Mon, 16 Feb 2004 11:07:54 +0100
Message-ID: <00cd01c3f46c$617db720$5347038d@tm.unikarlsruhe.de>
From: Christian Vogt <chvogt@tm.uka.de>
To: Soliman Hesham <H.Soliman@flarion.com>, Francis Dupont <Francis.Dupont@enst-bretagne.fr>, Jari Arkko <jari.arkko@kolumbus.fi>
Cc: mip6@ietf.org
References: <9E3BA3946476AD4EB94672712B12A85F04214E@ftmail.lab.flarion.com>
Subject: Re: [Mip6] rr weaknesses?
Date: Mon, 16 Feb 2004 10:08:02 +0100
Organization: Institute of Telematics, University of Karlsruhe (TH)
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: base64
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Content-Transfer-Encoding: base64
Sender: mip6-admin@ietf.org
Errors-To: mip6-admin@ietf.org
X-BeenThere: mip6@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/mip6>, <mailto:mip6-request@ietf.org?subject=unsubscribe>
List-Id: <mip6.ietf.org>
List-Post: <mailto:mip6@ietf.org>
List-Help: <mailto:mip6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mip6>, <mailto:mip6-request@ietf.org?subject=subscribe>
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=2.6 required=5.0 tests=AWL,MIME_BASE64_LATIN, MIME_BASE64_TEXT autolearn=no version=2.60
Content-Transfer-Encoding: base64
Content-Transfer-Encoding: base64

Soliman Hesham wrote:
> [...]
> => The vulnerability of RR is simple: If an attacker
> gets hold of HOT and COT, it's over he can do whatever
> he wants. 
> [...]
[The complete reference is given below.]


Hi Soliman, hi Francis, hi Jari,

I might add that getting a HoT message - more precisely, a Home Keygen Token - is sufficient if the attacker wants to steal data from its victim. All the attacker needs is an IP address X which (1) it is reachable through (*), and (2) which it can use as a care-of address. The attacker would simply send a CoTI message on behalf of the victim using X as a care-of address. It would normally receive the returning CoT message because it is reachable at IP address X. Finally, the attacker could authenticate a faked BU message with the intercept Home Keygen Token and the Care-of Keygen Token from the (normally received) CoT message.

We have elaborated on this issue in section 6.1 of the Early Binding Updates proposal [1].

Note that the Care-of Keygen Token from an overheard CoT message would not be interesting for the attack described above. The reason is that a Care-of Keygen Token is bound to a particular care-of address. Therefore, an overheard Care-of Keygen Token could be used for a later replay attack, directing the victim's data to the victim's previous location [2], but that's about all.

(*) Actually, it is already sufficient if the attacker can listen to messages on the path between the CN and IP address X. The attacker would then have to eavesdrop on the returning CoT message rather than "normally receiving" it.

Best regards,


- Christian


[1] Early Binding Updates for Mobile IPv6
    http://www.ietf.org/internet-drafts/draft-vogt-mip6-early-binding-updates-00.txt
[2] Mobile IP version 6 Route Optimization Security Design Background
    http://www.ietf.org/internet-drafts/draft-nikander-mobileip-v6-ro-sec-02.txt


|
| Christian Vogt
| Institute of Telematics, University of Karlsruhe (TH)
| www.tm.uka.de/~chvogt/
|


Soliman Hesham wrote:
> Jari,
> 
>  >     As the return
>  >     routability is not considered by many people as very safe or
>  >     efficient, some new ways to
>  >
>  > I agree about the efficiency part*.
>  >
>  > But I'm wondering if you have any specific worries about the
>  > safety part. I mean beyond issues that already exist in plain
>  > IPv4 and IPv6, such as MitMs being able to do bad things.
> 
> => The vulnerability of RR is simple: If an attacker
> gets hold of HOT and COT, it's over he can do whatever
> he wants. In other words if he can generate HOTI and COTI
> (which is easy) and be able to receive HOT and COT then
> he could do whatever he wants. This is more than what can be
> done today in v4 or v6 because the attacker can move and
> continue to steal/bomb for the lifetime of the token.
> 
> I know there is nothing new in what I'm saying but IMO
> this is the bottom line vulnerability and it's because
> everything is done in the clear.
> 
>  > *) Well, I guess on the overall scheme of things, 1 RTT can
>  > be considered
>  > relatively effient.
> 
> => Efficiency is not an absolute thing. We need to know
> efficient for what? In scenarios where there is frequent
> mobility I don't think it's efficient in terms of air interface
> use or tolerable for most apps.
> 
> Hesham

v2.23.0 | Report a Bug | By Email