> Glenn Morrow wrote: > > Right, > > So do people understand why having it in the address provides more protection?
No. Quoting Pekka Nikander's original description of the bidding-down attack: Note that an active attacker at the path between Alice and Bob is able o clear a set bit. However, that changes the address, and Alice is not going to answer to any possible replies sent by Bob. Thus, the bit prevents the attacker from impersonating as Alice and fooling Bob to use the less secure protocol. This doesn't satisfy me. If the attacker is capable of clearing the bit in the source address of packets from Alice to Bob, it is equally capable of setting the bit in the destination address of packets from Bob to Alice. (The proof of concept here is every NAT box sold so far.) So I don't see why the attacker can't conduct a complete bidding-down attack in which Alice sees only packets with the bit set, and Bob sees only packets with the bit cleared. Alice will believe she has asserted "strong security available", Bob will believe the opposite, and both will be fooled. Brian > Now let's assume that we did not allow just RR, this would avoid the bidding down >attack IFF there was only one strong method. > But I suspect there may be more than one strong method and arguments as to which >strong method is better will fourish and the > bidding down attack may still be protrayed as being there between the strong >mechanisms. > > Again this putting the bit in the address for extra protection may be in question >over and over, IMHO. I.e. if a field that > indicates which strong method to use is in place above the address then it can be >alterred as well using the same logic for > the bit being in the address now. > > > -----Original Message----- > > From: gabriel montenegro [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, March 21, 2002 9:23 PM > > To: Keith Moore > > Cc: Jari Arkko; Mohan Parthasarathy; Pekka Nikander; Pekka Savola; > > [EMAIL PROTECTED]; Erik Nordmark > > Subject: Re: Allocating a bit in the RFC2374 Interface Identifier > > > > > > Keith Moore wrote: > > > > > > Note that the MitM can also change the IP address, but if he does > > > > so, he is *not* attacking the original host, as the address is > > > > changed. > > > > > > unless of course the MitM can convince that host to take on > > that address > > > as an alias. > > > > So Mallory says that his address M is an alias for Alice's > > address A. Ok. > > What if Bob looking at A could know (yes, signalled by a bit) that A > > it is only aliasable by very secure mechanisms. That's the > > whole point. > > Mallory would then be forced to break any of several very strong > > (using crypto and explicit trust relationships) mechanisms: > > > > - AAA > > - PKI > > - CGA > > - etc > > > > RR would definitely not be included here. > > > > -gabriel > > -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
