AW: [NSIS] comments on NSIS Security Threats ID
Kappler Cornelia <cornelia.kappler@siemens.com> Tue, 16 March 2004 11:05 UTC
Received: from optimus.ietf.org (optimus.ietf.org [132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA23824 for <nsis-archive@odin.ietf.org>; Tue, 16 Mar 2004 06:05:46 -0500 (EST)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1B3CNc-0002KV-OF for nsis-archive@odin.ietf.org; Tue, 16 Mar 2004 06:05:20 -0500
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i2GB54tp008952 for nsis-archive@odin.ietf.org; Tue, 16 Mar 2004 06:05:04 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1B3CNb-0002Jx-5H; Tue, 16 Mar 2004 06:05:03 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1B3CNE-0002It-WC for nsis@optimus.ietf.org; Tue, 16 Mar 2004 06:04:41 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA23783 for <nsis@ietf.org>; Tue, 16 Mar 2004 06:04:36 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1B3CNB-00067k-00 for nsis@ietf.org; Tue, 16 Mar 2004 06:04:37 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1B3CMN-000635-00 for nsis@ietf.org; Tue, 16 Mar 2004 06:03:48 -0500
Received: from goliath.siemens.de ([192.35.17.28]) by ietf-mx with esmtp (Exim 4.12) id 1B3CLK-0005yd-00 for nsis@ietf.org; Tue, 16 Mar 2004 06:02:42 -0500
Received: from mail3.siemens.de (mail3.siemens.de [139.25.208.14]) by goliath.siemens.de (8.11.7/8.11.7) with ESMTP id i2GB2gv06415 for <nsis@ietf.org>; Tue, 16 Mar 2004 12:02:42 +0100 (MET)
Received: from blues.mchh.siemens.de (blues.mchh.siemens.de [139.21.204.206]) by mail3.siemens.de (8.11.7/8.11.7) with ESMTP id i2GB2bV02684 for <nsis@ietf.org>; Tue, 16 Mar 2004 12:02:37 +0100 (MET)
Received: from mchh275e.mchh.siemens.de (mchh275e.mchh.siemens.de [139.21.200.61]) by blues.mchh.siemens.de (8.9.3/8.9.1) with ESMTP id MAA19998 for <nsis@ietf.org>; Tue, 16 Mar 2004 12:02:13 +0100 (MET)
Received: by mchh275e.mchh.siemens.de with Internet Mail Service (5.5.2657.72) id <FF4B6VKP>; Tue, 16 Mar 2004 12:02:35 +0100
Message-ID: <4D486782CA36D4118A530000D11EA42A022C7C73@blns204e.bln.icn.siemens.de>
From: Kappler Cornelia <cornelia.kappler@siemens.com>
To: HANCOCK ROBERT <robert.hancock@roke.co.uk>, Tschofenig Hannes <hannes.tschofenig@siemens.com>, nsis@ietf.org
Subject: AW: [NSIS] comments on NSIS Security Threats ID
Date: Tue, 16 Mar 2004 12:02:32 +0100
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2657.72)
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.0 required=5.0 tests=AWL autolearn=no version=2.60
Content-Transfer-Encoding: quoted-printable
Sender: nsis-admin@ietf.org
Errors-To: nsis-admin@ietf.org
X-BeenThere: nsis@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/nsis>, <mailto:nsis-request@ietf.org?subject=unsubscribe>
List-Id: Next Steps in Signaling <nsis.ietf.org>
List-Post: <mailto:nsis@ietf.org>
List-Help: <mailto:nsis-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/nsis>, <mailto:nsis-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: quoted-printable
Hi Robert, thanks for the enlightening clarification. I understand the threat and the possible solution path now, however the current text IMHO just does not at all explain it. It is just too short. Cornelia > -----Ursprüngliche Nachricht----- > Von: Hancock, Robert [mailto:robert.hancock@roke.co.uk] > Gesendet: Samstag, 13. März 2004 17:14 > An: 'Kappler Cornelia'; Tschofenig Hannes; nsis@ietf.org > Betreff: RE: [NSIS] comments on NSIS Security Threats ID > > > hi, > > a comment on cornelia's comment (which in her email is > targeted at 4.3 but which i think is actually about 4.4): > > > -----Original Message----- > > From: Kappler Cornelia [mailto:cornelia.kappler@siemens.com] > > Sent: Saturday, March 13, 2004 04:35 > > To: Tschofenig Hannes; nsis@ietf.org > > Subject: [NSIS] comments on NSIS Security Threats ID > > > > > > Hi Hannes, > > my comments mostly relate to the structure of Sec 4 (along > > similar lines as Robert was suggesting), and to problems I > > have understanding identity spoofing of flow identifieres. > See below. > [snip] > > > The 3rd paragraph introduces exploitation of the spoofing of > > flow identifiers. The remaining paragraphs of 4.3 all seem to > > discuss this problem in more detail. It took me some time to > > realize this, may be you could add an explaining sentence. > > 2nd last paragraph of 4.3: "The ability...to inject data > > atraffic..requires the ability to also receive the data > > traffic. This is, however, true only if the flow identifier > > consists of a value that contains addresses used for > > routing." > > the real point is more subtle. compared to the original > "The ability for an adversary to inject data traffic that matches a > certain flow identifier established by a legitimate user often > requires the ability also to receive the data traffic. " > > one might emphasise > "The ability for an adversary to inject data traffic that matches a > certain flow identifier established by a legitimate user > and to get some benefit from injecting that traffic > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > often > requires the ability also to receive the data traffic. > or to have one's correspondent receive it. > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^" > > > Doesnt seem to make sense. I can picture various > > scenarios where I am able to receive data traffic not really > > destined to me, independent of the structure of the flow > > identifier...!? > > you can always try to receive on-link traffic for one of > your neighbours, but that is not really the issue. the > point is: > a) a 'reservation' has an associated filter specification > b) it also has an intended beneficiary > c) all traffic that matches (a) will get the benefit, but > d) that traffic may not be associated with the beneficiary (b) > > now, it is possible to write filter specifications which are > similarly fine-grained, but which are very different in the > possibilities they allow other users to generate traffic which > is useful to them but not what the original user intended. > hence the threat. > > apart from per-packet cryptographic authentication at each > router, it's difficult to counter this type of threat. the > approach being discussed here is to say that if you specify > traffic some ways, the forwarding system itself (i.e. the most > fundamental part of the network layer) will provide some > protection. the arguments are similar to what was done for > mip6 (see draft-nikander-mobileip-v6-ro-sec-02). > > some examples may be needed. > > *) reserve class X for traffic with SPI=fred > ==> anyone can set SPI=fred in their own packets and get > class X for them. > > *) reserve class X for traffic with proto/port=TCP/80 and > source=myself > ==> all my outgoing web traffic will get class X; but so > will that from anyone else who spoofs my source address. > (it's hard but not impossible for the spoofer to benefit > from this.) if applied, ingress filtering on the traffic > will make it harder. > > *) reserve class X for traffic with proto/port=TCP/80 and > destination=myself > ==> all my incoming traffic will get class X; if we assume > destination address spoofing is impossible, we are just > about done. > > [all these examples are slightly artificial, since the NTLP > would have difficulty in routing messages about such vaguely > specified flows, but they make the general point.] > > some master wordsmithing may be required. > > r. > > > The same paragraph continues: "If ... using...a flow > > identifier that do not require such a property (CK: i.e. > > addresses used for routing I assume?? Or ability to receive > > data traffic? But this I think is independent of the > > structure of the flow identifier) then ...injecting traffic > > are much easier." Doesnt make sense to me either (I may just > > have problems catching on...) > > -- > > Visit our website at www.roke.co.uk > > Registered Office: Roke Manor Research Ltd, Siemens House, > Oldbury, Bracknell, > Berkshire. RG12 8FZ > > The information contained in this e-mail and any attachments > is confidential to > Roke Manor Research Ltd and must not be passed to any third > party without > permission. This communication is for information only and > shall not create or > change any contractual relationship. > _______________________________________________ nsis mailing list nsis@ietf.org https://www1.ietf.org/mailman/listinfo/nsis
- AW: [NSIS] comments on NSIS Security Threats ID Kappler Cornelia