Fernando, On 1/25/12 5:18 AM, Fernando Gont wrote: > On 01/24/2012 11:39 PM, Brian E Carpenter wrote: >>>>> If the attacker can *observe* labels, why would he bother to "guess" them? >>>> So that s/he can generate plausible bogons as part of a DOS attack. It >>>> seems >>>> to me that predictability of the flow label is similar to predictability >>>> of port numbers in that respect. >>> >>> Let me rephrase with two questions: >>> >>> a) If an attacker is off-path, how can he "attack" the algorithm >>> proposed in "draft-gont-6man-flowlabel-security-02.txt"? >> >> OK, I mean an attacker who is able to observe the traffic but not >> perform MITM modifications. Some people call that off-path... > > Well, the attacker *is* on the path if he can observe traffic. > > That said, if the attacker is able to observe traffic, then game over. > Whether we use random FlowLabels or predictable FlowLabels is the same: > the attacker is not going to waste his time "guessing" when he can learn > the labels by listening to traffic.
I think you and Brian C. are not talking about the same issue. Brian C. is talking about being able to see current flow labels and then being able to guess future flow labels. That is, the attacker has the ability to forge traffic for a future exchange. You seem to be focused on the observation of a current flow and the attacker being able to inject traffic into that flow. > > > >>> b) If an attacker is on-path how does any algorithm prevent the attacker >>> from *knowing* which FlowLabels he should forge? >> >> Obviously for an established flow, you can inject forged packets that >> appear to belong to that flow; we can never prevent this. But if you >> can predict the flow label for *future* flows, you can forge and >> inject SYN packets before the real user ever starts the flow. Since >> a large part of today's forged traffic seems to consist of SYN packets, >> this seems like a sensitive target. > > Since FlowLabels do not carry any specific semantics, I cannot see how > "forge and inject before..." would be any worse than firing those > packets once the flow has already been established. Injection of state into the endpoints may influence a large number of functions, so an attacker's ability to forge packets may allow it to skew the behavior of one of the nodes. > > That aside, as noted above, the attacker could only predict flowlabels > if he is on-path. And if the attacker is on-path, game over. I don't think that is completely true. If the attacker cannot guess the future flow label correctly, its attempts may be detected. Regards, Brian H. -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
