Brian, > No. Quoting Pekka Nikander's original description of the bidding-down attack: > > Note that an active attacker at the path between Alice and Bob is able > o clear a set bit. However, that changes the address, and Alice is > not going to answer to any possible replies sent by Bob. Thus, the > bit prevents the attacker from impersonating as Alice and fooling Bob > to use the less secure protocol. > > This doesn't satisfy me. If the attacker is capable of clearing the bit > in the source address of packets from Alice to Bob, it is equally capable > of setting the bit in the destination address of packets from Bob to Alice. > (The proof of concept here is every NAT box sold so far.) > So I don't see why the attacker can't conduct a complete bidding-down attack > in which Alice sees only packets with the bit set, and Bob sees only packets > with the bit cleared. Alice will believe she has asserted "strong security > available", Bob will believe the opposite, and both will be fooled.
I am tired, and probably the situation is more complex, but this my initial reaction. It looks like in the scenario you describe Alice and Bob would end up running different protocols: Alice the strong one, which the attacker presumedly cannot break, and Bob the not-so-strong one, which the attacker presumedly can break. Thus, Bob would end up running the not-so-strong protocol with the attacker, but the address used would not be Alice's address. But I start to believe that I am missing here things, and that the reality is more complex than what we thought at the MIPv6 DT. That is, at least we need a mechanism for Alice to securely learn about the mechanisms Bob supports. Maybe we could use "the bit" here, too, but my brains just fail to analyze what happens to the address-spoofing MitM in that case; maybe you could perform the attack in both directions? But would that matter? If there is an attacker that can spoof packets and break the less secure protocol, it can create security associations with the less-secure protocol anyway, be there the legitimite peer or not. Erik, Jari, or Gab, I guess it's your turn :-) --Pekka Nikander -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
