RE: [NSIS] comments on NSIS Security Threats ID
"Hancock, Robert" <robert.hancock@roke.co.uk> Sat, 13 March 2004 16:19 UTC
Received: from optimus.ietf.org (optimus.ietf.org [132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA20084 for <nsis-archive@odin.ietf.org>; Sat, 13 Mar 2004 11:19:59 -0500 (EST)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1B2BrH-0005GF-Ht for nsis-archive@odin.ietf.org; Sat, 13 Mar 2004 11:19:31 -0500
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i2DGJVRW020208 for nsis-archive@odin.ietf.org; Sat, 13 Mar 2004 11:19:31 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1B2Bqn-0005Dk-0s; Sat, 13 Mar 2004 11:19:01 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1B2Bq6-0005C2-1C for nsis@optimus.ietf.org; Sat, 13 Mar 2004 11:18:20 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA20059 for <nsis@ietf.org>; Sat, 13 Mar 2004 11:18:11 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1B2Bpw-0005wt-00 for nsis@ietf.org; Sat, 13 Mar 2004 11:18:08 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1B2Bo8-0005tX-00 for nsis@ietf.org; Sat, 13 Mar 2004 11:16:17 -0500
Received: from rsys002a.roke.co.uk ([193.118.192.251]) by ietf-mx with esmtp (Exim 4.12) id 1B2BmJ-0005lf-00 for nsis@ietf.org; Sat, 13 Mar 2004 11:14:23 -0500
Received: by rsys002a.roke.co.uk with Internet Mail Service (5.5.2657.72) id <1ZGN105F>; Sat, 13 Mar 2004 16:13:41 -0000
Message-ID: <EA943CD30BCB104E9D38F5B5DC2D9A70019A0404@rsys004a.roke.co.uk>
From: "Hancock, Robert" <robert.hancock@roke.co.uk>
To: 'Kappler Cornelia' <cornelia.kappler@siemens.com>, Tschofenig Hannes <hannes.tschofenig@siemens.com>, nsis@ietf.org
Subject: RE: [NSIS] comments on NSIS Security Threats ID
Date: Sat, 13 Mar 2004 16:13:52 -0000
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2657.72)
Content-Type: text/plain; charset="iso-8859-1"
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.0 required=5.0 tests=AWL autolearn=no version=2.60
Sender: nsis-admin@ietf.org
Errors-To: nsis-admin@ietf.org
X-BeenThere: nsis@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/nsis>, <mailto:nsis-request@ietf.org?subject=unsubscribe>
List-Id: Next Steps in Signaling <nsis.ietf.org>
List-Post: <mailto:nsis@ietf.org>
List-Help: <mailto:nsis-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/nsis>, <mailto:nsis-request@ietf.org?subject=subscribe>
hi, a comment on cornelia's comment (which in her email is targeted at 4.3 but which i think is actually about 4.4): > -----Original Message----- > From: Kappler Cornelia [mailto:cornelia.kappler@siemens.com] > Sent: Saturday, March 13, 2004 04:35 > To: Tschofenig Hannes; nsis@ietf.org > Subject: [NSIS] comments on NSIS Security Threats ID > > > Hi Hannes, > my comments mostly relate to the structure of Sec 4 (along > similar lines as Robert was suggesting), and to problems I > have understanding identity spoofing of flow identifieres. See below. [snip] > The 3rd paragraph introduces exploitation of the spoofing of > flow identifiers. The remaining paragraphs of 4.3 all seem to > discuss this problem in more detail. It took me some time to > realize this, may be you could add an explaining sentence. > 2nd last paragraph of 4.3: "The ability...to inject data > atraffic..requires the ability to also receive the data > traffic. This is, however, true only if the flow identifier > consists of a value that contains addresses used for > routing." the real point is more subtle. compared to the original "The ability for an adversary to inject data traffic that matches a certain flow identifier established by a legitimate user often requires the ability also to receive the data traffic. " one might emphasise "The ability for an adversary to inject data traffic that matches a certain flow identifier established by a legitimate user and to get some benefit from injecting that traffic ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ often requires the ability also to receive the data traffic. or to have one's correspondent receive it. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^" > Doesnt seem to make sense. I can picture various > scenarios where I am able to receive data traffic not really > destined to me, independent of the structure of the flow > identifier...!? you can always try to receive on-link traffic for one of your neighbours, but that is not really the issue. the point is: a) a 'reservation' has an associated filter specification b) it also has an intended beneficiary c) all traffic that matches (a) will get the benefit, but d) that traffic may not be associated with the beneficiary (b) now, it is possible to write filter specifications which are similarly fine-grained, but which are very different in the possibilities they allow other users to generate traffic which is useful to them but not what the original user intended. hence the threat. apart from per-packet cryptographic authentication at each router, it's difficult to counter this type of threat. the approach being discussed here is to say that if you specify traffic some ways, the forwarding system itself (i.e. the most fundamental part of the network layer) will provide some protection. the arguments are similar to what was done for mip6 (see draft-nikander-mobileip-v6-ro-sec-02). some examples may be needed. *) reserve class X for traffic with SPI=fred ==> anyone can set SPI=fred in their own packets and get class X for them. *) reserve class X for traffic with proto/port=TCP/80 and source=myself ==> all my outgoing web traffic will get class X; but so will that from anyone else who spoofs my source address. (it's hard but not impossible for the spoofer to benefit from this.) if applied, ingress filtering on the traffic will make it harder. *) reserve class X for traffic with proto/port=TCP/80 and destination=myself ==> all my incoming traffic will get class X; if we assume destination address spoofing is impossible, we are just about done. [all these examples are slightly artificial, since the NTLP would have difficulty in routing messages about such vaguely specified flows, but they make the general point.] some master wordsmithing may be required. r. > The same paragraph continues: "If ... using...a flow > identifier that do not require such a property (CK: i.e. > addresses used for routing I assume?? Or ability to receive > data traffic? But this I think is independent of the > structure of the flow identifier) then ...injecting traffic > are much easier." Doesnt make sense to me either (I may just > have problems catching on...) _______________________________________________ nsis mailing list nsis@ietf.org https://www1.ietf.org/mailman/listinfo/nsis
- [NSIS] comments on NSIS Security Threats ID Kappler Cornelia
- RE: [NSIS] comments on NSIS Security Threats ID Hancock, Robert
- [NSIS] RE: comments on NSIS Security Threats ID Tschofenig Hannes