RE: Flooding Attacks and MIP6 (was RE: [Mipshop] Review of draft-arkko-mipshop-cga-cba-04)

["Narayanan, Vidya" <vidyan@qualcomm.com>]

> Vijay Devarapalli wrote: 

> Jari Arkko wrote:
> 
> >> 3. Using MIP6 home subscription to redirect traffic to the 
> victim. Of 
> >> course, the risk here is that of authenticated nodes 
> registering the 
> >> victim's IP address as its CoA.
> 
> > Let me first state that if I could redesign RFC 3775 today, I would 
> > probably NOT include an administrative security association 
> > relationship for the MN - HA. This would have made deployment much 
> > easier (e.g. DHCP assigned home agents without any of the 
> bootstrapping complexity).
> > And it would have gotten us rid of problem #3.
> 
> we could add a return routability check for the home agent to 
> check if the mobile node is at the CoA it is claiming in the 
> BU. but AFAIK, it has not been seen as an issue so far.
> 

I don't think adding a RR test for the CoA for home registration is a
good thing - this has to be repeated every time the CoA changes. Also,
I'm not saying this is needed. However, I am saying that there is
equivalence in home and CN registrations when CGA is used to create the
HoA and hence the RR test for CoA is NOT needed for the CN registrations
:) 

If this is seen as a huge problem, then it must be addressed for home
and CN registerations alike. I think that, for now, we can note the
issue and stop at that. 

> regarding the "administrative security association 
> relationship", things are no longer so rigid (RFC 3775 ties 
> an SA to the home address) with the bootstrapping specs. the 
> mobile node can be assigned any random home agent as long as 
> there is a way to authenticate each other.
> 

Agreed. 

Vidya

_______________________________________________
Mipshop mailing list
Mipshop@ietf.org
https://www1.ietf.org/mailman/listinfo/mipshop