On Sun, Jul 27, 2003 at 02:52:54PM +0200, Nir Arad wrote: > Should a node (a router) check the validity of the mapping of IPv6 > multicast destination address into the Ethernet MAC multicast address?
> Could there be a security issue?
Exactly my question. To be exact:
Assume the receiving node R had subscribed to IPv6 multicast groups A and B.
Assume that the corresponding MAC groups are a = mac(A) and b = mac(B).
Also, let C be an IPv6 multicast group with a = mac(C), and D be an IPv6
multicast group with mac(D) != a and mac(D) != b.
To make things more interesting, most multicast filters accept a pretty
large equivalence class of multicast MACs - so let E be an IPv6 multicast
group with (e = mac(A)) != a and e != b, but where R receives at layer 2
e if it is configured to receive a.
I observe:
- Your proposal obviously can't protect R against receiving packets
addressed to C, and has to filter against them on layer 3 (actually,
naturally it will do this as it will have no consumer for them).
- For similar reasons, it will already block/ignore, at layer 3, all E
packets.
So the only case that your proposal makes a difference is when a rogue
sender S sends a packet for B to the MAC address a, which is accepted on
layer 2 because R also wants to receive A, and which is later accepted
on L3 because R wants to accept B in the first place.
* Is there any security threat here? Of course, you can construct a DOS,
but you would need to block this at the sender, not after the first hop.
* Also, if S sends out packets with the wrong MAC address, most receivers
will NOT receive them. Harm is done to the sender, not the receiver. A
diagnostic tool should be around to detect this, so that S's software
can be fixed - but should be add additional code to check for this
everywhere, hurting all nodes for all L2-received packets, while wrongly
L2'd packets are dropped anyway later? I think not.
Regards,
-is
pgp00000.pgp
Description: PGP signature
