Re: Flooding Attacks and MIP6 (was RE: [Mipshop] Review of draft-arkko-mipshop-cga-cba-04)
Jari Arkko <jari.arkko@kolumbus.fi> Mon, 14 August 2006 20:07 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GCij0-00028K-BU; Mon, 14 Aug 2006 16:07:50 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GCiiz-00028E-D8 for mipshop@ietf.org; Mon, 14 Aug 2006 16:07:49 -0400
Received: from p130.piuha.net ([193.234.218.130]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GCiix-0001JS-T0 for mipshop@ietf.org; Mon, 14 Aug 2006 16:07:49 -0400
Received: from p130.piuha.net (localhost [127.0.0.1]) by p130.piuha.net (Postfix) with ESMTP id 4436B8986D; Mon, 14 Aug 2006 23:07:46 +0300 (EEST)
Received: from [127.0.0.1] (p130.piuha.net [193.234.218.130]) by p130.piuha.net (Postfix) with ESMTP id B2D488984E; Mon, 14 Aug 2006 23:07:45 +0300 (EEST)
Message-ID: <44E0D802.5090307@kolumbus.fi>
Date: Mon, 14 Aug 2006 23:07:30 +0300
From: Jari Arkko <jari.arkko@kolumbus.fi>
User-Agent: Mozilla Thunderbird 1.0.8 (X11/20060725)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: "Narayanan, Vidya" <vidyan@qualcomm.com>
Subject: Re: Flooding Attacks and MIP6 (was RE: [Mipshop] Review of draft-arkko-mipshop-cga-cba-04)
References: <C24CB51D5AA800449982D9BCB903251311A5E9@NAEX13.na.qualcomm.com>
In-Reply-To: <C24CB51D5AA800449982D9BCB903251311A5E9@NAEX13.na.qualcomm.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV using ClamSMTP
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 057ebe9b96adec30a7efb2aeda4c26a4
Cc: Christian Vogt <chvogt@tm.uka.de>, Wassim Haddad <whaddad@tcs.hut.fi>, mipshop@ietf.org
X-BeenThere: mipshop@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: mipshop.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/mipshop>, <mailto:mipshop-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:mipshop@ietf.org>
List-Help: <mailto:mipshop-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/mipshop>, <mailto:mipshop-request@ietf.org?subject=subscribe>
Errors-To: mipshop-bounces@ietf.org
Viday, Thanks a lot of your review and starting an interesting technical discussion! Some further comments inline: >I want to separate the topics out, since these are long discussions. >I'll start separate threads on a couple of other related topics after >this. > >Summarizing the means by which flooding attacks can be realized: > >1. Directly flooding the victim by sending traffic to the victim - as >you pointed out, this requires reasonable amount of effort on the >attacker's part. > > Right. >2. Subscribing for bogus sessions using a victim's IP address (TCP has >some behavior that can help here, for e.g., slowing down if proper acks >aren't received, but it is possible to subscribe to UDP/RTP sessions). >This would allow the attacker to amplify the attack without too much >direct resource involvement. > > Yes -- but I believe for TCP this is hard, because it would imply being able to guess the sequence numbers. Otherwise the session won't even start. There are ways to guess the sequence numbers, but at least some of those ways involve additional cost for the attacker. >3. Using MIP6 home subscription to redirect traffic to the victim. Of >course, the risk here is that of authenticated nodes registering the >victim's IP address as its CoA. > > Right. TCP is not a barrier here. >4. Using MIP6 RO to redirect traffic to the victim. If there is a HoA >test, here too, the risk is that of authenticated nodes registering the >victim's IP address as its CoA. The HoA test cannot pass unless there is >a valid binding for that node at the HA. When the HoA is created with >CGAs, this situation has full equivalence with the home subscription. >Note that I'm still not saying the MN-HA authenticated state has any >meaning to the CN. > > That is the crux of the matter. Whatever arrangement exists between the MN and its HA is invisible to the CN (under the assumption of talking to a random Internet host). What the CN sees with a home test is that the MN appears to be in control of receiving traffic at the home address. This is sufficient for agreeing to route traffic relating to that address differently, but it does not say anything about the existence of the node at the care of address. Of course, if there's a problem, the CN can go and complain to the home network's admin. The admin may be able to find out the offending node and turn it off. But the victim network admin needs to talk to both the CN network and then indirectly the home network to get this started; during the design of the original RR mechanisms it was felt that its better to provide a mechanism that helps prevent these situations -- even if the network admin and authorities could sort out the situation later. >If I understand correctly, you are saying that MIP6 can be used to >amplify flooding attacks. Even though I think in practice, 2 above can >be used to amplify flooding attacks, if that is the intention, I can buy >the argument that if say, 2 is solved by other means, you will still be >left with the possibility of amplification via 3 and 4. > > I believe 2 is harder to achieve with TCP from the attacker's point of view than 3 (and 4 if we didn't have RR). I am sure there are non-TCP attacks of class 2 that are serious. My belief is that we should work to reduce these amplification vulnerabilities in the entire stack. >However, the point I struggle with is this - as I've said above, I think >there is equivalence in the attack that is possible with 3 and 4, >assuming that the HoA is based on CGAs and a HoA test is done. So, if we >say RR for CoA is needed, it is equally needed for 3 and 4. I don't see >why it is needed for 4 alone in this case. > > Let me first state that if I could redesign RFC 3775 today, I would probably NOT include an administrative security association relationship for the MN - HA. This would have made deployment much easier (e.g. DHCP assigned home agents without any of the bootstrapping complexity). And it would have gotten us rid of problem #3. We have occasionally talked about this change, though not very seriously -- and I would not hold it as a precondition for doing RO enhancements. In any case, in the current deployment model of Mobile IPv6 there is an administrative relationship which can be used to shut down misbehaving nodes or even send the authorities to catch the guilty. I still like to have a stronger flooding amplification protection for the MN - CN relationship -- particularly if it does not have a cost in communications latency. --Jari _______________________________________________ Mipshop mailing list Mipshop@ietf.org https://www1.ietf.org/mailman/listinfo/mipshop
- [Mipshop] Review of draft-arkko-mipshop-cga-cba-04 Narayanan, Vidya
- Re: [Mipshop] Review of draft-arkko-mipshop-cga-c… Wassim Haddad
- RE: [Mipshop] Review of draft-arkko-mipshop-cga-c… Narayanan, Vidya
- [Mipshop] Review of draft-arkko-mipshop-cga-cba-04 Lakshminath Dondeti
- RE: [Mipshop] Review of draft-arkko-mipshop-cga-c… Narayanan, Vidya
- Re: [Mipshop] Review of draft-arkko-mipshop-cga-c… Christian Vogt
- Re: [Mipshop] Review of draft-arkko-mipshop-cga-c… Christian Vogt
- Flooding Attacks and MIP6 (was RE: [Mipshop] Revi… Narayanan, Vidya
- CGA-based HoA generation for MIP6 (was RE: [Mipsh… Narayanan, Vidya
- Re: Flooding Attacks and MIP6 (was RE: [Mipshop] … Jari Arkko
- RE: CGA-based HoA generation for MIP6 (was RE: [M… Narayanan, Vidya
- RE: Flooding Attacks and MIP6 (was RE: [Mipshop] … Narayanan, Vidya
- Re: CGA-based HoA generation for MIP6 (was RE: [M… Jari Arkko
- Re: Flooding Attacks and MIP6 (was RE: [Mipshop] … Vijay Devarapalli
- RE: Flooding Attacks and MIP6 (was RE: [Mipshop] … Narayanan, Vidya
- Re: Flooding Attacks and MIP6 (was RE: [Mipshop] … Christian Vogt
- Re: Flooding Attacks and MIP6 (was RE: [Mipshop] … Christian Vogt
- Re: CGA-based HoA generation for MIP6 (was RE: [M… Christian Vogt
- Re: CGA-based HoA generation for MIP6 (was RE: [M… Jari Arkko
- Re: CGA-based HoA generation for MIP6 (was RE: [M… Lakshminath Dondeti
- RE: CGA-based HoA generation for MIP6 (was RE: [M… Narayanan, Vidya
- RE: CGA-based HoA generation for MIP6 (was RE: [M… Wassim Haddad
- Re: CGA-based HoA generation for MIP6 (was RE: [M… Christian Vogt
- Re: CGA-based HoA generation for MIP6 (was RE: [M… Lakshminath Dondeti
- Re: Flooding Attacks and MIP6 (was RE: [Mipshop] … Jari Arkko
- Re: CGA-based HoA generation for MIP6 (was RE: [M… Christian Vogt
- Re: CGA-based HoA generation for MIP6 (was RE: [M… Christian Vogt
- Re: CGA-based HoA generation for MIP6 (was RE: [M… Vijay Devarapalli
- RE: Flooding Attacks and MIP6 (was RE: [Mipshop] … Narayanan, Vidya
- RE: Flooding Attacks and MIP6 (was RE: [Mipshop] … Christian Vogt
- RE: Flooding Attacks and MIP6 (was RE: [Mipshop] … Narayanan, Vidya