On Fri, 18 Jan 2002, Jari Arkko wrote:
> > I looked at a lot of stuff, but that's the only one I saw,
> > even though it can be dressed up in different ways.
> > What else is there?
>
> I think you are right Charlie, that is the only downside.
> (There's a bunch of other downsides related to fixing
> with AAA the hole HAO leaves in ingress filtering, but
> that's another issue.)
>
> The primary danger of unconstrained HAO is having even a small
> number of attackers spoof HAOs and use a large
> number of CNs as reflectors to attack a specific
> target even if your network has ingress filtering.
> Basically, it voids ingress filtering.
[snip]
There is a downside: destination site's filtering ("spoofing protection"
from the direction of the Internet) is nullified!
(This attack is especially nasty in "send an UDP exploit" scenarios -- not
necessarily DoS.)
This can be more or less partially repaired, by e.g. allow incoming HAO
with local Home Address only from local MN's, or local MN's that are known
to be outside, or even local MN's that match a specific binding and are
outside.
However, for security, that requires packet filters wanting to protect
from this must have the ability to go into extension headers and match
against HAO.. this is not yet implemented anywhere that I know of;
requirinig this for security of HAO might be too much.
--
Pekka Savola "Tell me of difficulties surmounted,
Netcore Oy not those you stumble over and fall"
Systems. Networks. Security. -- Robert Jordan: A Crown of Swords
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
