Brian,
I agree with your reasoning. I suspect proponents of the bidding down bit will start using the acceptable risk argument at this point. The bit I think should be reserved long term is already but the terminology describing it should probably be changed.
> -----Original Message-----
> From: Brian E Carpenter [mailto:[EMAIL PROTECTED]]
> Sent: Monday, March 25, 2002 4:00 AM
> To: Morrow, Glenn [RICH2:C330:EXCH]
> Cc: [EMAIL PROTECTED]; Keith Moore; Jari Arkko; Mohan Parthasarathy; Pekka
> Nikander; Pekka Savola; [EMAIL PROTECTED]; Erik Nordmark
> Subject: Re: Allocating a bit in the RFC2374 Interface Identifier
>
>
> > Glenn Morrow wrote:
> >
> > Right,
> >
> > So do people understand why having it in the address
> provides more protection?
>
> No. Quoting Pekka Nikander's original description of the
> bidding-down attack:
>
> Note that an active attacker at the path between Alice and
> Bob is able
> o clear a set bit. However, that changes the address, and Alice is
> not going to answer to any possible replies sent by Bob. Thus, the
> bit prevents the attacker from impersonating as Alice and fooling Bob
> to use the less secure protocol.
>
> This doesn't satisfy me. If the attacker is capable of
> clearing the bit
> in the source address of packets from Alice to Bob, it is
> equally capable
> of setting the bit in the destination address of packets from
> Bob to Alice.
> (The proof of concept here is every NAT box sold so far.)
> So I don't see why the attacker can't conduct a complete
> bidding-down attack
> in which Alice sees only packets with the bit set, and Bob
> sees only packets
> with the bit cleared. Alice will believe she has asserted
> "strong security
> available", Bob will believe the opposite, and both will be fooled.
>
> Brian
>
> > Now let's assume that we did not allow just RR, this would
> avoid the bidding down attack IFF there was only one strong method.
> > But I suspect there may be more than one strong method and
> arguments as to which strong method is better will fourish and the
> > bidding down attack may still be protrayed as being there
> between the strong mechanisms.
> >
> > Again this putting the bit in the address for extra
> protection may be in question over and over, IMHO. I.e. if a
> field that
> > indicates which strong method to use is in place above the
> address then it can be alterred as well using the same logic for
> > the bit being in the address now.
> >
> > > -----Original Message-----
> > > From: gabriel montenegro [mailto:[EMAIL PROTECTED]]
> > > Sent: Thursday, March 21, 2002 9:23 PM
> > > To: Keith Moore
> > > Cc: Jari Arkko; Mohan Parthasarathy; Pekka Nikander; Pekka Savola;
> > > [EMAIL PROTECTED]; Erik Nordmark
> > > Subject: Re: Allocating a bit in the RFC2374 Interface Identifier
> > >
> > >
> > > Keith Moore wrote:
> > >
> > > > > Note that the MitM can also change the IP address,
> but if he does
> > > > > so, he is *not* attacking the original host, as the address is
> > > > > changed.
> > > >
> > > > unless of course the MitM can convince that host to take on
> > > that address
> > > > as an alias.
> > >
> > > So Mallory says that his address M is an alias for Alice's
> > > address A. Ok.
> > > What if Bob looking at A could know (yes, signalled by a
> bit) that A
> > > it is only aliasable by very secure mechanisms. That's the
> > > whole point.
> > > Mallory would then be forced to break any of several very strong
> > > (using crypto and explicit trust relationships) mechanisms:
> > >
> > > - AAA
> > > - PKI
> > > - CGA
> > > - etc
> > >
> > > RR would definitely not be included here.
> > >
> > > -gabriel
> > >
>
