IETF Logo Mail Archive

Re: Flooding Attacks and MIP6 (was RE: [Mipshop] Review of draft-arkko-mipshop-cga-cba-04)

Christian Vogt <chvogt@tm.uka.de> Tue, 15 August 2006 07:50 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GCthS-0000st-2o; Tue, 15 Aug 2006 03:50:58 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GCthQ-0000sn-RD for mipshop@ietf.org; Tue, 15 Aug 2006 03:50:56 -0400
Received: from iramx1.ira.uni-karlsruhe.de ([141.3.10.80]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GCthP-0007SM-66 for mipshop@ietf.org; Tue, 15 Aug 2006 03:50:56 -0400
Received: from i72ms2.tm.uni-karlsruhe.de ([141.3.70.17] helo=smtp.ipv6.tm.uni-karlsruhe.de) by iramx1.ira.uni-karlsruhe.de with esmtps id 1GCth7-0002DL-3E; Tue, 15 Aug 2006 09:50:47 +0200
Received: from [IPv6:2001:638:204:6:20c:6eff:fe40:8d95] (archimedes.ipv6.tm.uni-karlsruhe.de [IPv6:2001:638:204:6:20c:6eff:fe40:8d95]) by smtp.ipv6.tm.uni-karlsruhe.de (Postfix) with ESMTP id 0A82B8657; Tue, 15 Aug 2006 09:50:35 +0200 (CEST)
Message-ID: <44E17CCA.9090800@tm.uka.de>
Date: Tue, 15 Aug 2006 09:50:34 +0200
From: Christian Vogt <chvogt@tm.uka.de>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; de; rv:1.8.0.5) Gecko/20060725 SUSE/1.5.0.5-0.1 Thunderbird/1.5.0.5 Mnenhy/0.7.4.0
MIME-Version: 1.0
To: Jari Arkko <jari.arkko@kolumbus.fi>, "Narayanan, Vidya" <vidyan@qualcomm.com>
Subject: Re: Flooding Attacks and MIP6 (was RE: [Mipshop] Review of draft-arkko-mipshop-cga-cba-04)
References: <C24CB51D5AA800449982D9BCB903251311A5E9@NAEX13.na.qualcomm.com> <44E0D802.5090307@kolumbus.fi>
In-Reply-To: <44E0D802.5090307@kolumbus.fi>
X-Enigmail-Version: 0.94.0.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Spam-Score: -4.5 (----)
X-Spam-Status: No
X-Spam-Report: -1.8 ALL_TRUSTED Passed through trusted hosts only via SMTP -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.0000] -0.1 AWL AWL: From: address is in the auto white-list
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 225414c974e0d6437992164e91287a51
Cc: Wassim Haddad <whaddad@tcs.hut.fi>, mipshop@ietf.org
X-BeenThere: mipshop@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: mipshop.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/mipshop>, <mailto:mipshop-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:mipshop@ietf.org>
List-Help: <mailto:mipshop-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/mipshop>, <mailto:mipshop-request@ietf.org?subject=subscribe>
Errors-To: mipshop-bounces@ietf.org

Hi Vidya, hi Jari.

>> 4. Using MIP6 RO to redirect traffic to the victim. If there is a 
>> HoA test, here too, the risk is that of authenticated nodes 
>> registering the victim's IP address as its CoA. The HoA test cannot
>>  pass unless there is a valid binding for that node at the HA. When
>>  the HoA is created with CGAs, this situation has full equivalence 
>> with the home subscription. Note that I'm still not saying the 
>> MN-HA authenticated state has any meaning to the CN.
>> 
> That is the crux of the matter. Whatever arrangement exists between 
> the MN and its HA is invisible to the CN (under the assumption of 
> talking to a random Internet host). What the CN sees with a home test
>  is that the MN appears to be in control of receiving traffic at the 
> home address. This is sufficient for agreeing to route traffic 
> relating to that address differently, but it does not say anything 
> about the existence of the node at the care of address.
> 
> Of course, if there's a problem, the CN can go and complain to the 
> home network's admin. The admin may be able to find out the offending
>  node and turn it off. But the victim network admin needs to talk to 
> both the CN network and then indirectly the home network to get this 
> started; during the design of the original RR mechanisms it was felt 
> that its better to provide a mechanism that helps prevent these 
> situations -- even if the network admin and authorities could sort 
> out the situation later.

Yes, this is one point:  Proactivity is better than reactivity.

Another thing is that there may actually be no home agent and home
domain admin which a victim could contact.  (I mentioned this in the
previous email, but I guess it was lost in the noise.)  E.g., an
attacker may attach to a public WLAN, acquire a (possibly temporary) IP
address, and use this IP address as a HoA in combination with a false
CoA.  The attacker itself would then play the HA part during the HoA test.

Of course, the HoA test would in this case guarantee the attacker's
reachability of the alleged "HoA", and hence a victim could
theoretically track the attacker down by contacting the public WLAN
provider.  But there is no clear and, more importantly, fast procedure
that the victim could follow.

Also note that the business relationship between the attacker and the
public WLAN provider may only be of temporary nature (e.g., an hourly
subscription).

Ciao,
- Christian

-- 
Christian Vogt, Institute of Telematics, Universitaet Karlsruhe (TH)
www.tm.uka.de/~chvogt/pubkey/



Jari Arkko wrote:
> Viday,
> 
> Thanks a lot of your review and starting an interesting technical
> discussion! Some further comments inline:
> 
>> I want to separate the topics out, since these are long
>> discussions. I'll start separate threads on a couple of other
>> related topics after this.
>> 
>> Summarizing the means by which flooding attacks can be realized:
>> 
>> 1. Directly flooding the victim by sending traffic to the victim -
>> as you pointed out, this requires reasonable amount of effort on
>> the attacker's part.
>> 
>> 
> Right.
> 
>> 2. Subscribing for bogus sessions using a victim's IP address (TCP
>> has some behavior that can help here, for e.g., slowing down if
>> proper acks aren't received, but it is possible to subscribe to
>> UDP/RTP sessions). This would allow the attacker to amplify the
>> attack without too much direct resource involvement.
>> 
>> 
> Yes -- but I believe for TCP this is hard, because it would imply
> being able to guess the sequence numbers. Otherwise the session won't
> even start. There are ways to guess the sequence numbers, but at
> least some of those ways involve additional cost for the attacker.
> 
>> 3. Using MIP6 home subscription to redirect traffic to the victim.
>> Of course, the risk here is that of authenticated nodes registering
>> the victim's IP address as its CoA.
>> 
>> 
> Right. TCP is not a barrier here.
> 
>> 4. Using MIP6 RO to redirect traffic to the victim. If there is a
>> HoA test, here too, the risk is that of authenticated nodes
>> registering the victim's IP address as its CoA. The HoA test cannot
>> pass unless there is a valid binding for that node at the HA. When
>> the HoA is created with CGAs, this situation has full equivalence
>> with the home subscription. Note that I'm still not saying the
>> MN-HA authenticated state has any meaning to the CN.
>> 
>> 
> That is the crux of the matter. Whatever arrangement exists between
> the MN and its HA is invisible to the CN (under the assumption of
> talking to a random Internet host). What the CN sees with a home test
> is that the MN appears to be in control of receiving traffic at the
> home address. This is sufficient for agreeing to route traffic
> relating to that address differently, but it does not say anything
> about the existence of the node at the care of address.
> 
> Of course, if there's a problem, the CN can go and complain to the
> home network's admin. The admin may be able to find out the offending
> node and turn it off. But the victim network admin needs to talk to
> both the CN network and then indirectly the home network to get this
> started; during the design of the original RR mechanisms it was felt
> that its better to provide a mechanism that helps prevent these
> situations -- even if the network admin and authorities could sort
> out the situation later.
> 
>> If I understand correctly, you are saying that MIP6 can be used to 
>> amplify flooding attacks. Even though I think in practice, 2 above
>> can be used to amplify flooding attacks, if that is the intention,
>> I can buy the argument that if say, 2 is solved by other means, you
>> will still be left with the possibility of amplification via 3 and
>> 4.
>> 
>> 
> I believe 2 is harder to achieve with TCP from the attacker's point
> of view than 3 (and 4 if we didn't have RR).
> 
> I am sure there are non-TCP attacks of class 2 that are serious. My
> belief is that we should work to reduce these amplification
> vulnerabilities in the entire stack.
> 
>> However, the point I struggle with is this - as I've said above, I
>> think there is equivalence in the attack that is possible with 3
>> and 4, assuming that the HoA is based on CGAs and a HoA test is
>> done. So, if we say RR for CoA is needed, it is equally needed for
>> 3 and 4. I don't see why it is needed for 4 alone in this case.
>> 
>> 
> Let me first state that if I could redesign RFC 3775 today, I would
> probably NOT include an administrative security association
> relationship for the MN - HA. This would have made deployment much
> easier (e.g. DHCP assigned home agents without any of the
> bootstrapping complexity). And it would have gotten us rid of problem
> #3.
> 
> We have occasionally talked about this change, though not very 
> seriously -- and I would not hold it as a precondition for doing RO 
> enhancements. In any case, in the current deployment model of Mobile
> IPv6 there is an administrative relationship which can be used to
> shut down misbehaving nodes or even send the authorities to catch the
> guilty. I still like to have a stronger flooding amplification 
> protection for the MN - CN relationship -- particularly if it does
> not have a cost in communications latency.
> 
> --Jari
> 



_______________________________________________
Mipshop mailing list
Mipshop@ietf.org
https://www1.ietf.org/mailman/listinfo/mipshop

v2.23.0 | Report a Bug | By Email