Hi,
El 08/06/2007, a las 10:20, Jari Arkko escribió:
Hi Fred,
Hence, I would like to use SeND to exchange RFC 3401 addresses, and
have H1 do so with any system that it wants to talk with/through on
its local LAN for any address relevant to the association prior to
other L3 exchanges. Host-to-host within the LAN, I would expect that
to be limited to link-local addresses as it is now (one could also
send everything through the router, but that solution doesn't help
LANs that have no router, and has limitations on very busy LANs). With
any system originating SeND-authenticated Router Advertisements, I
would expect that it would do so for any address it wants to use
off-LAN.
This is an interesting case.
So SEND gives you secure mapping of IP to L2 addresses, as
well as address ownership.
right
but what is exactly what we are trying to secure? I mean, as i
understand it, SeND is used to secure the process of ND state creation.
I mean, SeND is used to make sure that when ND related state is
installed in a router or a host, the state is authentic. In particular,
the IP address L2 address binding state, the available prefix state and
so on.
However, it seems to me that we are talking about something different
here. As i understand it (maybe i got it wrong), here we don't want to
verify that some state that a router or a host is installing is
authentic, but rather that a given packet is compliant, in particular,
that it has been originated by the owner of the ip address that has
been used as source address. I guess that CGA/SeND would provide the
basis to do that, since CGAs can be used to prove address ownership,
but as understand this, this type of approach would require for every
packet to carry authentication information, since the goal is to prove
that each packet is generated by the address owner, right?
SEND currently does nothing for actual traffic packets, so presumably
you are thinking of maintaining some state or performing some
extra verification tasks at the router. This would allow the SEND-
secured mapping and ownership to be used for a packet forwarding
decision.
but for this, we would also need some additional validation information
in the packet itself, right? I mean even if you are certain that there
is a node that owns a given address in the link, you cannot verify that
this node has generated the actual packet that the router is
forwardiing...
or woudl it be enough just to verify that packets contain source
addresses beloging to nodes that exist and we don't need to care about
the fact the source address owner actually generated the packet?
It would probably be a bad idea for the router to listen to all
NA/NS traffic. So I'm not sure we want to base the state
on that.
Are you thinking of the router making an extra SEND
operation to verify ownership when it for the first time
sees a packet? It could send an NS and verify the resulting
NA. And use this for the forwarding decision.
this would verify that a given node exists with the source address of
the packet and that it has the associated l2 address
This would not, however, prevent someone who can forge
L2 source addresses from claiming that an IP packet came
from a host. So for a full solution I guess you would also
need to enforce L2 source addresses, either through
switch configuration or L2 security.
exactly
regards, marcelo
If I'm off in the weeds, I'm willing to be told as much. In the case,
though, I'm very concerned.
I don't think you are off in the weeds -- this is an interesting
direction for the SAVA problem. But more work is definitely
needed.
Jari
_______________________________________________
Int-area mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/int-area
