IETF Logo Mail Archive

RE: [NSIS] comments on NSIS Security Threats ID

"Hancock, Robert" <robert.hancock@roke.co.uk> Sat, 13 March 2004 16:19 UTC

Received: from optimus.ietf.org (optimus.ietf.org [132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA20084 for <nsis-archive@odin.ietf.org>; Sat, 13 Mar 2004 11:19:59 -0500 (EST)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1B2BrH-0005GF-Ht for nsis-archive@odin.ietf.org; Sat, 13 Mar 2004 11:19:31 -0500
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i2DGJVRW020208 for nsis-archive@odin.ietf.org; Sat, 13 Mar 2004 11:19:31 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1B2Bqn-0005Dk-0s; Sat, 13 Mar 2004 11:19:01 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1B2Bq6-0005C2-1C for nsis@optimus.ietf.org; Sat, 13 Mar 2004 11:18:20 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA20059 for <nsis@ietf.org>; Sat, 13 Mar 2004 11:18:11 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1B2Bpw-0005wt-00 for nsis@ietf.org; Sat, 13 Mar 2004 11:18:08 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1B2Bo8-0005tX-00 for nsis@ietf.org; Sat, 13 Mar 2004 11:16:17 -0500
Received: from rsys002a.roke.co.uk ([193.118.192.251]) by ietf-mx with esmtp (Exim 4.12) id 1B2BmJ-0005lf-00 for nsis@ietf.org; Sat, 13 Mar 2004 11:14:23 -0500
Received: by rsys002a.roke.co.uk with Internet Mail Service (5.5.2657.72) id <1ZGN105F>; Sat, 13 Mar 2004 16:13:41 -0000
Message-ID: <EA943CD30BCB104E9D38F5B5DC2D9A70019A0404@rsys004a.roke.co.uk>
From: "Hancock, Robert" <robert.hancock@roke.co.uk>
To: 'Kappler Cornelia' <cornelia.kappler@siemens.com>, Tschofenig Hannes <hannes.tschofenig@siemens.com>, nsis@ietf.org
Subject: RE: [NSIS] comments on NSIS Security Threats ID
Date: Sat, 13 Mar 2004 16:13:52 -0000
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2657.72)
Content-Type: text/plain; charset="iso-8859-1"
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.0 required=5.0 tests=AWL autolearn=no version=2.60
Sender: nsis-admin@ietf.org
Errors-To: nsis-admin@ietf.org
X-BeenThere: nsis@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/nsis>, <mailto:nsis-request@ietf.org?subject=unsubscribe>
List-Id: Next Steps in Signaling <nsis.ietf.org>
List-Post: <mailto:nsis@ietf.org>
List-Help: <mailto:nsis-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/nsis>, <mailto:nsis-request@ietf.org?subject=subscribe>

hi,

a comment on cornelia's comment (which in her email is
targeted at 4.3 but which i think is actually about 4.4):

> -----Original Message-----
> From: Kappler Cornelia [mailto:cornelia.kappler@siemens.com]
> Sent: Saturday, March 13, 2004 04:35
> To: Tschofenig Hannes; nsis@ietf.org
> Subject: [NSIS] comments on NSIS Security Threats ID
> 
> 
> Hi Hannes, 
> my comments mostly relate to the structure of Sec 4 (along 
> similar lines as Robert was suggesting), and to problems I 
> have understanding identity spoofing of flow identifieres. See below. 
[snip]

> The 3rd paragraph introduces exploitation of the spoofing of 
> flow identifiers. The remaining paragraphs of 4.3 all seem to 
> discuss this problem in more detail. It took me some time to 
> realize this, may be you could add an explaining sentence.
> 2nd last paragraph of 4.3: "The ability...to inject data 
> atraffic..requires the ability to also receive the data 
> traffic. This is, however, true only if the flow identifier 
> consists of a value that contains addresses used for 
> routing." 

the real point is more subtle. compared to the original
"The ability for an adversary to inject data traffic that matches a 
   certain flow identifier established by a legitimate user often 
   requires the ability also to receive the data traffic. "

one might emphasise 
"The ability for an adversary to inject data traffic that matches a 
   certain flow identifier established by a legitimate user 
and to get some benefit from injecting that traffic
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
often 
   requires the ability also to receive the data traffic. 
or to have one's correspondent receive it.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"

> Doesnt seem to make sense. I can picture various 
> scenarios where I am able to receive data traffic not really 
> destined to me, independent of the structure of the flow 
> identifier...!?

you can always try to receive on-link traffic for one of
your neighbours, but that is not really the issue. the
point is:
a) a 'reservation' has an associated filter specification
b) it also has an intended beneficiary
c) all traffic that matches (a) will get the benefit, but
d) that traffic may not be associated with the beneficiary (b)

now, it is possible to write filter specifications which are
similarly fine-grained, but which are very different in the 
possibilities they allow other users to generate traffic which
is useful to them but not what the original user intended. 
hence the threat.

apart from per-packet cryptographic authentication at each
router, it's difficult to counter this type of threat. the
approach being discussed here is to say that if you specify
traffic some ways, the forwarding system itself (i.e. the most 
fundamental part of the network layer) will provide some
protection. the arguments are similar to what was done for
mip6 (see draft-nikander-mobileip-v6-ro-sec-02).

some examples may be needed.

*) reserve class X for traffic with SPI=fred
==> anyone can set SPI=fred in their own packets and get
class X for them.

*) reserve class X for traffic with proto/port=TCP/80 and
source=myself
==> all my outgoing web traffic will get class X; but so
will that from anyone else who spoofs my source address.
(it's hard but not impossible for the spoofer to benefit 
from this.) if applied, ingress filtering on the traffic
will make it harder.

*) reserve class X for traffic with proto/port=TCP/80 and
destination=myself
==> all my incoming traffic will get class X; if we assume
destination address spoofing is impossible, we are just 
about done.

[all these examples are slightly artificial, since the NTLP
would have difficulty in routing messages about such vaguely
specified flows, but they make the general point.]

some master wordsmithing may be required.

r.

> The same paragraph continues: "If ... using...a flow 
> identifier that do not require such a property (CK: i.e. 
> addresses used for routing I assume?? Or ability to receive 
> data traffic? But this I think is independent of the 
> structure of the flow identifier) then ...injecting traffic 
> are much easier." Doesnt make sense to me either (I may just 
> have problems catching on...)

_______________________________________________
nsis mailing list
nsis@ietf.org
https://www1.ietf.org/mailman/listinfo/nsis

v2.23.0 | Report a Bug | By Email