Brian E Carpenter wrote:
> This I still don't understand. A header option can assert "weak"
> or "strong" (or better, "algorithm ID") just as well as magic
> bits in an address, without overloading the address and stealing
> bits already allocated in EUI-64. A header option can also be
> cryptographically authenticated.
I agree. Header options can be authenticated as well as addresses.
However, there are masquarade attacks where there is only Bob
and Mallory, no Alice at all. Alice comes only later, and when
she comes, her address has been taken. Thus, therefore it looks
like addresses *may* also need protection, not just hosts.
> I fully understand why we need bidding-down protection and the
> newly suggested step down procedure. I just can't see a case
> for putting the required semantics in the address.
Well, maybe my logic (or non-logic) goes something like this:
1. Let us assume that there are "weak" and "strong" hosts.
2. Let us assume that there is no trusted security infrastructure.
3. Now, the "strong" hosts want to talk to both to "weak"
hosts and "strong" hosts, but only in a "strong" way to
the "strong" hosts.
4. If we can pre-label the addresses, then the "strong" hosts
can select an address that says "strong", and the "weak"
hosts can select an address that says "weak".
5. I *think* that such labeling helps, under certain situations,
but it is definitely not a panacea, as I've said many times.
Why do I think that it helps? Since it allows a "strong" host
to immediately detect an address as a weak one, and therefore
assume that the host using that address is a weak one.
Now, as you have pointed out, a MitM can tweak addresses as
easily as any other options in the packets. Thus, if we want
to secure *communication* between the hosts, the labeling of
addresses is not need. However, if we want to secure *properties*
of the *addresses*, such as whether to use a source route for
a given address or not, or what is the MAC address for the
given address, labeling does seem to help.
From my point of view, source routing (i.e. MIPv6 RO) and
neighbor discovery deal with *addresses*, not hosts. But
maybe I have been grossly mistaken here, and maybe I need
to revise my thinking completely.
[Mobility certainly is not a property of an address but host,
but MIPv6 specifically makes binds mobility to the home
*address*, giving the home address special semantics and
reducing mobility to source routing. Personally, I think
that is a mistake, and that something like HIP or GSE would
be better for mobility. I have to think more about ND.]
--Pekka Nikander
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
