IETF Logo Mail Archive

Re: Proposal for PSAMP-PROTO section 6.5.2.6

Youki Kadobayashi <youki-k@is.aist-nara.ac.jp> Thu, 23 March 2006 07:11 UTC

Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FMJz9-0007ce-2R for psamp-archive@lists.ietf.org; Thu, 23 Mar 2006 02:11:55 -0500
Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FMJz7-0003KH-G1 for psamp-archive@lists.ietf.org; Thu, 23 Mar 2006 02:11:55 -0500
Received: from majordom by psg.com with local (Exim 4.60 (FreeBSD)) (envelope-from <owner-psamp@ops.ietf.org>) id 1FMJvd-000FOE-23 for psamp-data@psg.com; Thu, 23 Mar 2006 07:08:17 +0000
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on psg.com
X-Spam-Level:
X-Spam-Status: No, score=-2.5 required=5.0 tests=BAYES_00,FORGED_RCVD_HELO autolearn=ham version=3.1.0
Received: from [163.221.82.75] (helo=mailrelay.naist.jp) by psg.com with esmtp (Exim 4.60 (FreeBSD)) (envelope-from <youki-k@is.aist-nara.ac.jp>) id 1FMJvb-000FO0-Be for psamp@ops.ietf.org; Thu, 23 Mar 2006 07:08:15 +0000
Received: from mailpost.naist.jp (mailscan.naist.jp [163.221.82.70]) by mailrelay.naist.jp (Postfix) with ESMTP id DE6C71E83 for <psamp@ops.ietf.org>; Thu, 23 Mar 2006 16:08:10 +0900 (JST)
Received: from [127.0.0.1] (sh.naist.jp [163.221.10.10]) by mailpost.naist.jp (Postfix) with ESMTP id 450131E7A for <psamp@ops.ietf.org>; Thu, 23 Mar 2006 16:08:10 +0900 (JST)
Message-ID: <4422495B.3070704@is.aist-nara.ac.jp>
Date: Thu, 23 Mar 2006 16:08:11 +0900
From: Youki Kadobayashi <youki-k@is.aist-nara.ac.jp>
User-Agent: Thunderbird 1.5 (X11/20060322)
MIME-Version: 1.0
To: psamp@ops.ietf.org
Subject: Re: Proposal for PSAMP-PROTO section 6.5.2.6
Content-Type: text/plain; charset="ISO-2022-JP"
Content-Transfer-Encoding: 7bit
Sender: owner-psamp@ops.ietf.org
Precedence: bulk
X-Spam-Score: 0.1 (/)
X-Scan-Signature: e1e48a527f609d1be2bc8d8a70eb76cb

Dear PSAMP folks,

I am interested in the network attack tracing scenario of trajectory sampling,
as documented in the Section 6.2.1.2 of draft-ietf-psamp-sample-tech-07.

Here's my comments to draft-ietf-psamp-protocol-04 regarding hash-based filtering:

In section 6.5.2.6 it doesn't mention IPv6.  I assume you will refer readers to
(or copy texts from) the Section 6.2.3.3 of draft-ietf-psamp-sample-tech-07.
If this is the case, I find potential weakness here.
Attacker can evade trajectory sampling if 1) he can arbitarily choose byte
number 10,11,14,15,16 of IPv6 src/dest addresses, and 2) hash selection range
S is known to the attacker.  1) is feasible since it is EUI-64, and 2) is
feasible if S remains identical Internet-wide, for a long period of time.

Regarding the BOB hash function: I wonder if someone have evaluated the
cryptographic soundness (i.e., one-wayness and collision resistance) of BOB.
If so, it would be useful to point at the cryptanalysis document of BOB.  If
not, I can volunteer to ask nearby cryptographers to look at it.

If BOB is found not to be collision resistant, attacker may come up with very
fast algorithm to manipulate IP payload (or IP-ID field) so that every attack
packet evades detection.

N.B. I am aware of  the folllowing paper, where the authors conducted statistical
(that is, not cryptoanalytic) testing of IPSX and BOB.
http://public.research.att.com/~duffield/papers/31-085A.pdf

Maybe this is a reccuring topic though.

P.S.
  Kudos to all of your standardization efforts.

-- 
    Youki Kadobayashi
    WIDE Project

--
to unsubscribe send a message to psamp-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/psamp/>

v2.46.0 | Report a Bug | By Email | System Status