Pekka Nikander wrote: > > Brian, > > > No. Quoting Pekka Nikander's original description of the bidding-down attack: > > > > Note that an active attacker at the path between Alice and Bob is able > > o clear a set bit. However, that changes the address, and Alice is > > not going to answer to any possible replies sent by Bob. Thus, the > > bit prevents the attacker from impersonating as Alice and fooling Bob > > to use the less secure protocol. > > > > This doesn't satisfy me. If the attacker is capable of clearing the bit > > in the source address of packets from Alice to Bob, it is equally capable > > of setting the bit in the destination address of packets from Bob to Alice. > > (The proof of concept here is every NAT box sold so far.) > > So I don't see why the attacker can't conduct a complete bidding-down attack > > in which Alice sees only packets with the bit set, and Bob sees only packets > > with the bit cleared. Alice will believe she has asserted "strong security > > available", Bob will believe the opposite, and both will be fooled. > > I am tired, and probably the situation is more complex, but this my initial > reaction. It looks like in the scenario you describe Alice and Bob > would end up running different protocols: Alice the strong one, which > the attacker presumedly cannot break, and Bob the not-so-strong one, > which the attacker presumedly can break. Thus, Bob would end up running > the not-so-strong protocol with the attacker, but the address used would > not be Alice's address. > It depends on how smart the MITM is, but I think in the simplest case, Alice will hear from pseudo-Bob "I can't support strong security" (this will be fabricated by the MITM) so she will be bid down, but Bob never knows about this because he falsely believes that Alice can't support strong security.
But I'm also tired; jet lag hasn't completely gone yet :-) > But I start to believe that I am missing here things, and that the > reality is more complex than what we thought at the MIPv6 DT. That is, > at least we need a mechanism for Alice to securely learn about the > mechanisms Bob supports. Maybe we could use "the bit" here, too, but > my brains just fail to analyze what happens to the address-spoofing > MitM in that case; maybe you could perform the attack in both directions? Exactly > But would that matter? If there is an attacker that can spoof packets > and break the less secure protocol, it can create security associations > with the less-secure protocol anyway, be there the legitimite peer or not. Yes. There's a recursion here, and also a moral I think: don't allow weak security, period. Brian -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
