Hi Tony, > -----邮件原件----- > 发件人: Tony Li [mailto:[email protected]] > 发送时间: 2010年4月6日 23:04 > 收件人: Xu Xiaohu > 抄送: [email protected] > 主题: Re: Some concerns about ILNP//:Re: [rrg] Recommendation > > > > > > As such, some mechanisms described in Section 12.2 "Forged Identifier > > Attacks" of draft-rja-ilnp-intro-03 seem problematic. Correct? > > > Not at all. In fact, that is where all of the answers to your concerns are > discussed. The following text is quoted from the Section 12.2: "Second, the receiving node does not blindly accept any packet with the proper Source Identifier and proper Destination Identifier as an authentic packet. Instead, each node operating the I/L-split mode maintains a session cache for each of its correspondents, as described above. This cache contains two unidirectional nonce values (one used in control messages sent by this node, a different one used to authenticate messages from the other node). The cache also contains the currently valid set of Locators and set of Identifiers for each correspondent node. If a received packet contains valid Identifier values and a valid Destination Locator, but contains a Source Locator value that is not present in the session cache, the packet is dropped without further processing as an invalid packet, unless the packet also contains a Nonce Destination Option with the correct value used for packets from the node with that Source Identifier to this node. This prevents an off-path attacker from stealing an existing session."
This is the previous discussion content: > >>>>> CONCERN #2: Host ID Global Uniqueness Assurance > >>> Again, absolutely nothing will happen. Identifiers are not global, they > are > >> only unique _within_ a locator. Thus, if your cache contains: > >> > >> (Locator A, Identifier I, Nonce N, Destination D) > >> (Locator B, Identifier I, Nonce K, Destination D) > >> > >> And you now receive a packet with > >> > >> (Locator C, Identifier I, Nonce L, Destination D) > >> > >> Then the receiver drops it per the above rule. It's clearly a forgery. > > > > Why do you clearly believe the packet with (Locator C, Identifier I, Nonce > > L, Destination D) is a forgery? ILNP doesn't require the identifier to be > > globally unique. In other words, it is absolutely possible and legitimate > > that two hosts having the same identifier communicate with a third party at > > the same time. > > > You're correct. I should have said that the packet does NOT match any > current connection and thus appears to be an independent entity. > > > > According to your above logic, if a malicious host impersonates the > > legitimate identifier owner and establishes a session with a given server > in > > advance, does that mean the legitimate identifier owner will not be able to > > access that server later? > > > No, since a new connection was established. Are the above two arguments in accordance with each other? Best wishes, Xiaohu _______________________________________________ rrg mailing list [email protected] http://www.irtf.org/mailman/listinfo/rrg
