Short version: After 4 weeks of discussion, I think it is fair to
conclude that ILNP can't provide global mobility in
a robust manner.
The idea of "mobility" with only an Identifier which
is locally unique is not really "mobility".
There have been 33 messages in this thread since my first one:
http://www.ietf.org/mail-archive/web/rrg/current/msg07057.html
which cited Xiaohu Xu's original critique, 4 weeks ago:
http://www.ietf.org/mail-archive/web/rrg/current/msg07042.html
in which he proposed what I later called the "identifier squatting"
DoS attack.
In all these discussions I don't recall any evidence that this attack
is invalid. There have been arguments that it is equivalent to MAC
stealing, but I don't accept this, since the victim's Identifier is
easily found by the attacker (from DNS lookup of the victim's FQDN),
because the attacker's action DoSes the victim in an entire /64, not
just a particular LAN within it and because the attacker's actions
are indistinguishable from the actions of an ordinary IPv6 or ILNP
host. (MAC stealing involves learning the MAC number, which can only
be done from some LAN the victim host attaches to - and the attack
only works within the scope of a LAN.
Part of the discussion involved questions about relying on the
uniqueness of MAC addresses, or other identifying numbers for the
hardware the host runs on. This is a separate question from that of
the "identifier squatting" attack, but several people noted that it
was not uncommon for MAC addresses to be duplicated. Also, it was
pointed out that with virtual hosts, there may be no unique hardware
involved at all.
Another part of the discussion involved how to combine mobility -
implicitly global mobility of an Identifier - with some mechanism for
choosing multiple Identifiers in order to give the user "privacy".
"Privacy" in this sense means something like support for anonymous
browsing (but not just for HTTP, of course): being able to use a
series of Identifiers so as to avoid the sites they communicate with
comparing notes and recognising multiple sessions as having
originated from a particular host. I think this is a separate matter
from the problem I was discussing, and I mentioned that I can't think
of any method, with ILNP - or any other architecture, including
today's IP protocols - of reliably achieving a "privacy / anonymity"
goal such as this.
Ran has not responded to this critique of the mobility aspect of his
architecture. Tony has responded, but I don't think he denied that
the attack would succeed. Steven Blake (msg07086) acknowledged the
attack exists.
The recent messages between Christian Müller and Tony Li concerned
the concept of "mobility" with an Identifier AAAA which is only known
to be locally unique - within a given /64 PPPP. (So its IPv6 address
is PPPP-AAAA.) When that host connects to an access network which
uses /64 QQQQ, it may find that it can't use its Identifier AAAA,
because some other host is already using it, either as an IPv-6 host,
or as an ILNP host. In both cases the IPv6 address QQQQ-AAAA can't be
used by our "mobile" host.
Tony acknowledges this:
>> what happens if a mobile device (with a locally unique id)
>> roams into a subnet when there is a different device on
>> that subnet already that uses the same Identifier value?
>
> Not much. The device needs a new locally unique ID. The one
> that it previously acquired only had local scope.
So this supposed form of "Mobility" may require getting a new
Identifier when using another access network.
This is not really "Mobility". I think "Mobility" in the sense most
people have been aiming for in the context of the RRG is for the host
to retain its Identifier and maintain its sessions, no matter what
access networks it roams to.
TTR Mobility will provide this - by the mobile host retaining one or
more global unicast IP addresses, no matter what access network it uses.
ILNP could principle do it properly, if both these were true:
1 - Each host has an Identifier which is truly globally unique.
2 - There is some way of preventing any host on any access network
it wants to use, from gaining the corresponding IP address
first.
Regarding point 1, Tony and I think Ran have either argued against
the need for absolutely globally unique Identifiers, and/or have
argued that generating an Identifier from a MAC number (AKA
"address", though some people object to this term for MAC) or the
like will, for all practical purposes, achieve this. If ILNP was to
be used, I think there would need to be a better way of choosing
Identifiers to be globally unique than relying on MAC number etc.
The only approach I can think of would be hierarchical assignment.
However Tony argued against this on grounds of privacy (anonymity) in
(msg07131) and because of problems with bureaucracy (msg07100).
Point 2 is the only way to prevent the "Identifier squatting" DoS
attack - and no-one has suggested a way of achieving this.
So I conclude that ILNP can't do global mobility in a robust fashion,
due to 2 above, and also due to reliance on MAC numbers and the like
leading to some probably low, but still unacceptable, level of
Identifier clashes.
Mobility with a locally unique Identifier is not mobility at all, at
least in the sense that most of us are aiming for.
- Robin
_______________________________________________
rrg mailing list
[email protected]
http://www.irtf.org/mailman/listinfo/rrg
