Hi Ran,
> At the suggestion of one of the RRG Chairs, kindly let me
> reiterate the explanations on this topic, with specific
> reference to the slides presented at RRG in Stockholm today.
>
> Looking specifically at Slide 22:
>
> 1) Off-path Attacks
> Ordinary IPv6 without IPsec has broad vulnerability to
> on-path attacks,
> as noted in Slide 22, round bullet 2, triangle sub-bullet 2, first
> dash sub-sub-bullet.
>
> This means that to provide equivalent security ILNP without IPsec
> only needs to protect against off-path attacks.
>
> ILNP includes a Nonce to protect traffic from off-path attacks,
> as described in Slide 22, 2nd round bullet (and its
> subsidiary items).
>
> This means that ILNP without IPsec has the same security
> properties
> as IPv6 without IPsec. This is also described in draft-rja-ilnp-
> nonce-*
> and in the other draft-rja-ilnp-* drafts -- in more
> detail than fits
> on 1 slide in a ~30 minute overview talk. This is also described
> in the 2nd circular bullet on Slide 22.
Sorry, I just read your ilnp-nonce draft. I felt that without the HIP/CGA
tricks, this nonce mechanism itself only solves the session hijacking
problem, and it doesn't prevent stealing and spoofing of the identifiers.
For example, an attacker could use somebody else's identifier to initiate
communication with a given correspondent node.
Of couse, it largely depends on the semantics of the identifier in your
ILNP. As quoted from your ilnp draft, "Identifiers are unique within the
context of a given Locator; in many cases, Identifiers might happen to be
globally unique, but that is not a functional requirement for this proposal.
" The related concerns are as follows:
1) Based on the assumption that the identifier is not globally unique, if
two hosts using the same identifier initiate communication with a third
host, how could this third host distinguish the different sessions from
these two hosts?
2) Based on the assumption that the idenfiters are only needed to be unique
within the context of a given Locator, if a mobile node moved to a new
subnet, and unfortunately there is a host within this subnet which uses the
same identifier as the mobile node, should be mobile node renumber its
identifier?
3) If I understand your ILNP correctly, the DNS server will be used as the
rendezvous to deal with the simultaneous mobility issue. In pratice,
multiple hosts could share a FQDN for load-balancing purpose, that's to say,
the mapping between FQDN and I/L is 1:N, not 1:1, how could the mobile node
know which I/L is corresponding to the communicating node? Or do you believe
the DNS should be changed so that each host will have a globally unique FQDN
in your ILNP architecture?
Best regards,
Xiaohu
> 2) On-path Attacks
> For ordinary IPv6, the only solution to on-path attacks is to use
> IPsec (most obviously AH, but some forms of ESP could
> also suffice).
>
> For ILNP, the existing solution of IPsec continues to
> work fine, and
> actually works *better* because IPsec for ILNP works even
> if Locator
> Translation ("NAT") is deployed along the path -- without
> requiring
> any special UDP encapsulation for "IPsec NAT Traversal". This is
> described in the first round bullet of Slide 22 (and its
> subsidiary
> items on that same slide).
>
> Yours,
>
> Ran
>
> _______________________________________________
> rrg mailing list
> [email protected]
> http://www.irtf.org/mailman/listinfo/rrg
_______________________________________________
rrg mailing list
[email protected]
http://www.irtf.org/mailman/listinfo/rrg
