Brian,
> "Hesham Soliman (ERA)" wrote:
>>The scenario Brian mentioned
>>will not be an issue for bidding down attacks
>>related to mobility.
Brian E Carpenter wrote:
> Can you explain? I don't see why you can't have an evil MitM
> intercepting binding updates and bidding them down.
This is really a question of perception and threat model.
Technically you are right. An evil MitM can intercept
binding updates and bid them down. However, the evil
MitM can do worse things, like prevent communication
altogether. It can also perform a "classic" MitM attack,
changing message contents on the fly.
The goal of MIPv6 security is not to protect against
"classic" MitM attacks. It is designed to secure
mobility signalling, i.e. messages that change a node's
(CNs) internal routing information. That is, the goal
is to prevent false bindings from being created at a CN,
and thereby prevent traffic diversion and DoS, among other
things.
Now, the design goal for the MIPv6 security design was
"do no harm", meaning that MIPv6 must not make Internet
any less secure than it is already now. From that point
of view, the selected MIPv6 security mechanism, Return
Routability (RR), is approaching the goal from below.
That is, it still allows "time shifting" attacks where
an attacker is able to create a binding when a Mobile Node
is not active, and thereby prevent the legitimite MN from
communicating with the CN once it becomes active. (There
are also other DoS concerns involved where other hosts or
parts of the network become victims of DDoS attacks.)
Now, RR reaches the goal by reducing the time window
for the "time shifting" attacks to a few minutes.
Thus, RR as such, is insecure. A MitM can break it easily.
Now, one goal of the "bit method" was to reserve some footing
for the more secure protocols. That is, if we assume that
there are two types of mobile nodes, "weak" ones and "strong"
ones, but only one type of corresponding nodes, ones that
are able to act either as "weak" or "strong", the bit method
does indeed seem to create some footing.
When a "strong" MN talks to the CN, a MitM can still prevent
all communications between the MN and the CN and it can change
MN's address into a "weak" one on packets flowing MN->CN
and back to the "strong" one on packets flowing on CN->MN.
However, if we consider our security goal, that doesn't matter.
Our goal was prevent the creation of false bindings. The
MitM cannot create a false binding for the MN at the CN, and
it cannot fool the MN to believe that it has succesfully
created a binding at the CN.
The crusial assumptions here are the following:
1. We want to prevent the MitM from creating bindings
for some addresses even if it is able to break
the "weak" method. This creates some footage for
the "strong" methods.
2. The MNs make an a priori decision whether they want
to use a strong or the weak method.
3. Our goal is to allow the MN to securely indicate
the CN whether it wants to use the "weak" or "strong"
method.
Now, under these specific conditions the "bit method" seems
to work. Not perfectly, but well enough. On the other hand,
the bit method *cannot* be used as a generic bidding down
protection, as I mistakenly thought for a couple of weeks.
And of course it is possible that there is still some flaw
in my thinking and/or in the explanation above. If that is
the case, I'd be happy if you or anyone could please point
that out.
Well, personally I consider the bit method as a gross
hack, and really wish that we can create something better.
The need is there. We just need a method.
--Pekka Nikander
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
