IETF Logo Mail Archive

Re: [saag] time to authenticate dhcp?

"Steven M. Bellovin" <smb@cs.columbia.edu> Fri, 12 December 2008 08:54 UTC

Return-Path: <saag-bounces@ietf.org>
X-Original-To: saag-archive@ietf.org
Delivered-To: ietfarch-saag-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 13D9B3A6AD6; Fri, 12 Dec 2008 00:54:54 -0800 (PST)
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 045A53A6AD6 for <saag@core3.amsl.com>; Fri, 12 Dec 2008 00:54:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4lDuiJCo50iF for <saag@core3.amsl.com>; Fri, 12 Dec 2008 00:54:52 -0800 (PST)
Received: from machshav.com (machshav.com [198.180.150.44]) by core3.amsl.com (Postfix) with ESMTP id 031AF3A695C for <saag@ietf.org>; Fri, 12 Dec 2008 00:54:52 -0800 (PST)
Received: by machshav.com (Postfix, from userid 512) id D37E8AF673; Fri, 12 Dec 2008 08:54:45 +0000 (GMT)
Received: from yellowstone.machshav.com (localhost [127.0.0.1]) by machshav.com (Postfix) with ESMTP id E15A9AF640; Fri, 12 Dec 2008 08:54:44 +0000 (GMT)
Received: from cs.columbia.edu (localhost [127.0.0.1]) by yellowstone.machshav.com (Postfix) with ESMTP id 35B1A838732; Fri, 12 Dec 2008 03:54:39 -0500 (EST)
Date: Fri, 12 Dec 2008 03:54:39 -0500
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: Alper Yegin <alper.yegin@yegin.org>
Message-ID: <20081212035439.1c4cecbb@cs.columbia.edu>
In-Reply-To: <0aeb01c95bf4$2618ff10$724afd30$@yegin@yegin.org>
References: <20081208173839.0e26afe4@cs.columbia.edu> <7460.1228786061@marajade.sandelman.ca> <078a01c95a66$1f63ad80$5e2b0880$%yegin@yegin.org> <BLU137-W121BDE802F51B791A8AFF593FB0@phx.gbl> <1228924202.28471.6.camel@localhost> <200812102349.mBANnWRU021832@raisinbran.srv.cs.cmu.edu> <E9FEB7A5CB05A60A5F029C62@minbar.fac.cs.cmu.edu> <0aeb01c95bf4$2618ff10$724afd30$@yegin@yegin.org>
Organization: Columbia University
X-Mailer: Claws Mail 3.6.1 (GTK+ 2.14.3; x86_64--netbsd)
Mime-Version: 1.0
Cc: saag@ietf.org
Subject: Re: [saag] time to authenticate dhcp?
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: saag-bounces@ietf.org
Errors-To: saag-bounces@ietf.org

On Fri, 12 Dec 2008 02:54:06 +0200
"Alper Yegin" <alper.yegin@yegin.org> wrote:

>  
> > --On Thursday, December 11, 2008 01:49:07 AM +0200 Alper Yegin
> > <alper.yegin@yegin.org> wrote:
> > 
> > >> > For example, a wireless base station could drop the following
> > >> incoming
> > >> > packets on the wireless link:
> > >> >
> > >> > 1. IPv6 Router Advertisement packets (ICMP Type 134)
> > >> > 2. DHCPv4 packets sent to the client port (68)
> > >> > 3. DHCPv6 packets sent to the client port (546)
> > >>
> > >> That doesn't make things worse, but it also doesn't help if the
> > >> attacker's system is acting as a base station (bridging selected
> > >> traffic
> > >> through to the legitimate base station).
> > >
> > >
> > > The rogue entity inserting itself between the victim host and
> > legitimate
> > > base station (Mitm) is a much harder attack. So, the filtering has
> > > considerable value.
> > >
> > > Furthermore, one way to address this "MitM" attack is to use L2
> > access
> > > authentication. That way the host knows it is connected to a
> > legitimate
> > > network.
> > 
> > What's a "legitimate network"?  I don't share any authentication
> > secrets
> > with my local Panera Bread.
> 
> I was referring to "L2 authentication." In cases where L2
> authentication is used, you host has either a PSK with the WiFi AP
> (e.g., home gateway), or a PSK/cert with a AAA server that has a
> direct (or hop-by-hop) PSK with the AAA client on the AP (e.g.,
> enterprise/operator WiFi). 
> 
Again, what about Panera?  They don't charge; they don't have much need
for that sort of infrastructure.

Besides, how do people register in the first place?  Is this the real
AP, or is it an evil twin pointing at a credit card-stealing service?


		--Steve Bellovin, http://www.cs.columbia.edu/~smb
_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag

v2.39.1 | Report a Bug | By Email | System Status