Brian and Pekka, > > I am tired, and probably the situation is more complex, > but this my initial > > reaction. It looks like in the scenario you describe > Alice and Bob > > would end up running different protocols: Alice the > strong one, which > > the attacker presumedly cannot break, and Bob the > not-so-strong one, > > which the attacker presumedly can break. Thus, Bob would > end up running > > the not-so-strong protocol with the attacker, but the > address used would > > not be Alice's address. > > > It depends on how smart the MITM is, but I think in the > simplest case, > Alice will hear from pseudo-Bob "I can't support strong > security" (this > will be fabricated by the MITM) so she will be bid down, > but Bob never knows > about this because he falsely believes that Alice can't > support strong security.
=> I have to add myself to the list of tired/jetlagged people :). But, in the scenario you mention, it seems to me that Alice will not end up talking to Bob and Bob will not end up talking to Alice. And both will not end up talking to the MITM anyway. In fact, If the MITM modified the first message in the, lets call it SA establishment, then this SA establishment will fail. If it was the last message that was modified then it will also fail because the message will be inconsistent with the intial ones. So it seems to me like a classic DoS attack. Nothing we can do here. What am I missing? > > But I start to believe that I am missing here things, and that the > > reality is more complex than what we thought at the MIPv6 > DT. That is, > > at least we need a mechanism for Alice to securely learn about the > > mechanisms Bob supports. Maybe we could use "the bit" > here, too, but > > my brains just fail to analyze what happens to the > address-spoofing > > MitM in that case; maybe you could perform the attack in > both directions? > > Exactly => But then we end up with Alice talking to Sam and Bob talking to Homer! So what ? > > But would that matter? If there is an attacker that can > spoof packets > > and break the less secure protocol, it can create > security associations > > with the less-secure protocol anyway, be there the > legitimite peer or not. > > Yes. There's a recursion here, and also a moral I think: > don't allow weak > security, period. => I used to wonder about the strength of RR only for MIPv6. But after a long thread with Erik, I am convinced that it is as strong as the weakest link. I.e. ND. So I agree with Erik's statement during the presentation in Minneapolis, which said that securing ND will make RR seem less secure. Hence the need for allowing this stronger mechanism in future. I.e. put the bit in the iid. Hesham -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
