[Mipshop] NS-NA Exchange in draft-vidya-mipshop-handover-keys-aaa-01
Christian Vogt <chvogt@tm.uka.de> Tue, 13 December 2005 09:26 UTC
Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1Em6Qi-0002WH-58; Tue, 13 Dec 2005 04:26:40 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1Em6Qb-0002Uy-PL for mipshop@megatron.ietf.org; Tue, 13 Dec 2005 04:26:38 -0500
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA24629 for <mipshop@ietf.org>; Tue, 13 Dec 2005 04:25:33 -0500 (EST)
Received: from iramx1.ira.uni-karlsruhe.de ([141.3.10.80] ident=[U2FsdGVkX1+3T1Ne5T2VMxNSWteIDsCVAv7mqRLCU5c=]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Em6RW-00086y-9z for mipshop@ietf.org; Tue, 13 Dec 2005 04:27:30 -0500
Received: from i72ms2.tm.uni-karlsruhe.de ([141.3.70.17] helo=smtp.ipv6.tm.uni-karlsruhe.de) by iramx1.ira.uni-karlsruhe.de with esmtps id 1Em6QJ-0000X5-De; Tue, 13 Dec 2005 10:26:18 +0100
Received: from [141.3.71.115] (i72ibm03.tm.uni-karlsruhe.de [141.3.71.115]) by smtp.ipv6.tm.uni-karlsruhe.de (Postfix) with ESMTP id 23600B4BF; Tue, 13 Dec 2005 10:26:15 +0100 (CET)
Message-ID: <439E93B6.1060201@tm.uka.de>
Date: Tue, 13 Dec 2005 10:26:14 +0100
From: Christian Vogt <chvogt@tm.uka.de>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; us-US; rv:1.7.5) Gecko/20041206 Thunderbird/1.0 Mnenhy/0.7.2.0
X-Accept-Language: de-DE, de, en-us, en
MIME-Version: 1.0
To: Vidya Narayanan <vidya@motorola.com>, narayanan.venkitaraman@motorola.com, Hannes.Tschofenig@siemens.com, gerardo.giaretta@telecomitalia.it, julien.bournelle@int-evry.fr
X-Enigmail-Version: 0.92.0.0
Content-Type: text/plain; charset="ISO-8859-15"
Content-Transfer-Encoding: 7bit
X-Spam-Score: -14.0 (--------------)
X-Spam-Status: No
X-Spam-Report: -1.8 ALL_TRUSTED Passed through trusted hosts only via SMTP -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.0000] -9.6 AWL AWL: From: address is in the auto white-list
X-Spam-Score: 0.2 (/)
X-Scan-Signature: d185fa790257f526fedfd5d01ed9c976
Content-Transfer-Encoding: 7bit
Cc: Mipshop <mipshop@ietf.org>
Subject: [Mipshop] NS-NA Exchange in draft-vidya-mipshop-handover-keys-aaa-01
X-BeenThere: mipshop@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: mipshop.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/mipshop>, <mailto:mipshop-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:mipshop@ietf.org>
List-Help: <mailto:mipshop-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/mipshop>, <mailto:mipshop-request@ietf.org?subject=subscribe>
Sender: mipshop-bounces@ietf.org
Errors-To: mipshop-bounces@ietf.org
Hi Vidya and co-authors, I read draft-vidya-mipshop-handover-keys-aaa-01.txt (henceforth called "the draft") and caught up with the meeting minutes from Vancouver. There was a brief discussion in Vancouver on the way CoA uniqueness is verified in the draft. The suggestion is to have the acess router (AR) send an NS and wait for responding NAs, where the mobile node claiming the CoA does *not* send an NA. This is sort of a DAD-like approach. Greg proposed that you better use OptiDAD instead. I do not fully agree. The draft uses the NS-NA exchange in order to mitigate the threat of connection hijacking by malicious (or inadvertent) redirection, whereas OptiDAD tackles inadvertent address collisions only. It's ok for OptiDAD to expose nodes to a short "phase of uncertainty" during which two nodes may use the same address because (a) the probability for such an event is vanishingly small anyway, and (b) other nodes' communications won't be affected due to the way OptiDAD handles use of Optimistic Addresses. But in draft-vidya-mipshop-handover-keys-aaa-01.txt, we talk about (a) malicious connection hijacking, which won't happen by an unlikely coincidence, and (b) packet redirection, which OptiDAD's rules for Optimistic Addresses cannot do much about. Running the NS-NA exchange in an OptiDAD style would have to be supplemented with a variant of Credit-Based Authorization, which in turn would require existing credit to be transferred from AR to AR. But note that the NS-NA exchange is concurrent anyway because it happens prior to handoff. Having said that, I guess that the suggested NS-NA exchange is fine from the perspective of performance... ...however, I have concerns with respect to the security it provides: Assume an attacker, spoofing a neighbor's CoA, jams the link when the AR sends the NS and/or when the victim sends its NA. The AR won't receive an NA from the victim then, and it will falsely assume that the attacker uses a correct CoA. F-MIPv6 solves this issue thus: [From RFC 4068, section 8] > If an access router can ensure that the source IP address in an > arriving packet could only have originated from the node whose > Link-Layer Address is in the router's neighbor cache, then a bogus > node cannot use a victim's IP address for malicious redirection of > traffic. Such an operation is recommended at least on neighbor > discovery messages including the RtSolPr message. This approach does not help if the attacker spoofs its L2 address, unfortunately. Seems that SEND is the only way to solve the issue. Without SEND, you could still force the attacker to stay on the old link if the old AR re-sends NSs until the tunnel is torn down, each successive transmissions spaced by a random amount of time. The attacker would have to jam the old link every so often, thus exposing itself as someone malicous. Besides, the new AR would never see the attacker arrive. You might be able to communicate this information back to the old AR, which could then tear down the tunnel. But this doesn't help much if the attack's purpose is DoS rather than connection hijacking... Regards, - Christian -- Christian Vogt, Institute of Telematics, University of Karlsruhe www.tm.uka.de/~chvogt/pubkey/ _______________________________________________ Mipshop mailing list Mipshop@ietf.org https://www1.ietf.org/mailman/listinfo/mipshop
- [Mipshop] NS-NA Exchange in draft-vidya-mipshop-h… Christian Vogt
- Re: [Mipshop] NS-NA Exchange in draft-vidya-mipsh… Vidya Narayanan
- Re: [Mipshop] NS-NA Exchange in draft-vidya-mipsh… Christian Vogt
- Re: [Mipshop] NS-NA Exchange indraft-vidya-mipsho… James Kempf
- Re: [Mipshop] NS-NA Exchange indraft-vidya-mipsho… Christian Vogt
- Re: [Mipshop] NS-NA Exchange indraft-vidya-mipsho… James Kempf
- Re: [Mipshop] NS-NA Exchange indraft-vidya-mipsho… Vidya Narayanan
- Re: [Mipshop] NS-NA Exchange indraft-vidya-mipsho… Christian Vogt
- Re: [Mipshop] NS-NA Exchange indraft-vidya-mipsho… James Kempf
- Re: [Mipshop] NS-NA Exchange indraft-vidya-mipsho… James Kempf
- Re: [Mipshop] NS-NA Exchange indraft-vidya-mipsho… Christian Vogt
- Re: [Mipshop] NS-NAExchange indraft-vidya-mipshop… James Kempf
- Re: [Mipshop] NS-NA Exchange in draft-vidya-mipsh… Christian Vogt
- Re: [Mipshop] NS-NA Exchange in draft-vidya-mipsh… James Kempf
- Re: [Mipshop] NS-NA Exchange in draft-vidya-mipsh… Christian Vogt