Re: [mobile-ip] How to move forward in the HAO & ingress filter discussion

Sat, 19 Jan 2002 10:05:31 -0800 

 In your previous mail you wrote:

   There is a downside: destination site's filtering ("spoofing protection" 
   from the direction of the Internet) is nullified!
   
   (This attack is especially nasty in "send an UDP exploit" scenarios -- not
   necessarily DoS.)
   
=> this is 4.1 section of my draft:
 - the vulnerability can exist *only* if there are some home agents
   inside the site (this is a strong constraint)
 - the defense is basically the same: the filtering devices have to
   know the bindings (the home registrations are enough) by the way
   you'd like (several work, the only implementation I know uses
   BU/BA snooping with success).

   This can be more or less partially repaired, by e.g. allow incoming HAO
   with local Home Address only from local MN's, or local MN's that are known
   to be outside, or even local MN's that match a specific binding and are
   outside.
   
=> no, this can be fully repaired. And in most cases very easily:
no home agent = no binding = just apply the anti-spoofing to everything
that can be a source address.

   However, for security, that requires packet filters wanting to protect
   from this must have the ability to go into extension headers and match
   against HAO..

=> if your packet filter doesn't already do that, change it ASAP.

   this is not yet implemented anywhere that I know of; 

=> this was implemented 30 months ago somewhere I know of.
(I can ask for a testimony if you really want it)

   requiring this for security of HAO might be too much.
   
=> if I apply your argument to the routing header it should be forbidden...
I strongly disagree: stupid defects in some stupid firewalls should not
be admissible arguments against a protocol feature.

Regards

[EMAIL PROTECTED]

PS: the position of the HAO in packets was required by some firewall people,
so I believe there are at least two firewall expert teams which already
managed how to deal with HAOs...
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page:                      http://playground.sun.com/ipng
FTP archive:                      ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------

Reply via email to