Hi Christian, Let me first say that I have altered the subject line because, as I explained earlier, our approach does not provide for data confidentiality (one can eavesdrop on the data but one cannot modify and spoof the sender or message content) but does provide for data integrity. If one wants both confidentiality and data integrity then one can use the approach I introduced in the first message I sent. This approach is called CGA-TSIGe (encrypted CGA-TSIG). > > CGA only protect against MITM attacks if the addresses are exchanged > securely. Otherwise, you get the following situation:
May I ask you to first read the draft cga-tsig? I guess your assumption is that CGA is valid only in the local link so any other nodes are capable of playing in between, like playing MITM or like Proxy NDP, etc. To answer your concern, I confirm that CGA-TSIG is an application layer protocol, dissimilar to the original CGA, and that the node directly makes use of TCP or UDP to send messages to the DNS server or other nodes. This means that CGA-TSIG options constitute a payload within the TCP message which is signed by the originator. There is thus a binding between the originator IP address and the public key of the signer so this approach works and avoids MITM attacks by providing data integrity. > * A wants to connect with B; > * The evil E convinces A that the address of B is X, a CGA address composed by How does the evil E convince A? This is the question because A already knows the IP address of B and only accepts the messages from B. It will not open any channel with any intermediate nodes as it expects an end to end channel with B whose IP address it knows and the routers in between only route the packets. What I want to tell you here is that we assume that A receives the IP address of B from a resolver that again knows its IP address or obtained it using a secure manner. Your scenario, by the use of cga-tsig, changes to the following: A asks R(resolver) what is the IP address of B. Evil E says that it is X. A checks the signature and proceeds with the CGA verification. It fails. A rejects the answer from E. A receives a response from R. A proceeds using the verification process that is explained in cga-tsig. A accepts R and accepts the message content. R says the IP address is Y. A establishes the connection with B using Y. E fails so E couldn't play the MITM. > E; > * Using CGA, A establishes a secure channel to X; > * Using CGA, E establishes a secure channel from X to B; > > Voila, the connections are properly secured with CGA, yet E is in the middle. I think the data confidentiality doesn't need to use the resolver scenario. Because the resolver responds to anonymous queries it doesn't make sense to decrease the DNS performance the the use of something that is not needed. What I want to explain here is that data confidentiality is good for DNS query updates (zone transfer, FQDN update) in order to avoid leaking zone information. Hosnieh _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
