I agree.
On Saturday 24 July 2010 at 09:32:55 Robin Whittle sent: > Short version: After 4 weeks of discussion, I think it is fair to > conclude that ILNP can't provide global mobility in > a robust manner. > > The idea of "mobility" with only an Identifier which > is locally unique is not really "mobility". > > > > There have been 33 messages in this thread since my first one: > > http://www.ietf.org/mail-archive/web/rrg/current/msg07057.html > > which cited Xiaohu Xu's original critique, 4 weeks ago: > > http://www.ietf.org/mail-archive/web/rrg/current/msg07042.html > > in which he proposed what I later called the "identifier squatting" > DoS attack. > > In all these discussions I don't recall any evidence that this attack > is invalid. There have been arguments that it is equivalent to MAC > stealing, but I don't accept this, since the victim's Identifier is > easily found by the attacker (from DNS lookup of the victim's FQDN), > because the attacker's action DoSes the victim in an entire /64, not > just a particular LAN within it and because the attacker's actions > are indistinguishable from the actions of an ordinary IPv6 or ILNP > host. (MAC stealing involves learning the MAC number, which can only > be done from some LAN the victim host attaches to - and the attack > only works within the scope of a LAN. > > Part of the discussion involved questions about relying on the > uniqueness of MAC addresses, or other identifying numbers for the > hardware the host runs on. This is a separate question from that of > the "identifier squatting" attack, but several people noted that it > was not uncommon for MAC addresses to be duplicated. Also, it was > pointed out that with virtual hosts, there may be no unique hardware > involved at all. > > Another part of the discussion involved how to combine mobility - > implicitly global mobility of an Identifier - with some mechanism for > choosing multiple Identifiers in order to give the user "privacy". > "Privacy" in this sense means something like support for anonymous > browsing (but not just for HTTP, of course): being able to use a > series of Identifiers so as to avoid the sites they communicate with > comparing notes and recognising multiple sessions as having > originated from a particular host. I think this is a separate matter > from the problem I was discussing, and I mentioned that I can't think > of any method, with ILNP - or any other architecture, including > today's IP protocols - of reliably achieving a "privacy / anonymity" > goal such as this. > > Ran has not responded to this critique of the mobility aspect of his > architecture. Tony has responded, but I don't think he denied that > the attack would succeed. Steven Blake (msg07086) acknowledged the > attack exists. > > The recent messages between Christian Müller and Tony Li concerned > the concept of "mobility" with an Identifier AAAA which is only known > to be locally unique - within a given /64 PPPP. (So its IPv6 address > is PPPP-AAAA.) When that host connects to an access network which > uses /64 QQQQ, it may find that it can't use its Identifier AAAA, > because some other host is already using it, either as an IPv-6 host, > or as an ILNP host. In both cases the IPv6 address QQQQ-AAAA can't be > used by our "mobile" host. > > Tony acknowledges this: > > >> what happens if a mobile device (with a locally unique id) > >> roams into a subnet when there is a different device on > >> that subnet already that uses the same Identifier value? > > > > Not much. The device needs a new locally unique ID. The one > > that it previously acquired only had local scope. > > So this supposed form of "Mobility" may require getting a new > Identifier when using another access network. > > This is not really "Mobility". I think "Mobility" in the sense most > people have been aiming for in the context of the RRG is for the host > to retain its Identifier and maintain its sessions, no matter what > access networks it roams to. > > TTR Mobility will provide this - by the mobile host retaining one or > more global unicast IP addresses, no matter what access network it uses. > > ILNP could principle do it properly, if both these were true: > > 1 - Each host has an Identifier which is truly globally unique. > > 2 - There is some way of preventing any host on any access network > it wants to use, from gaining the corresponding IP address > first. > > Regarding point 1, Tony and I think Ran have either argued against > the need for absolutely globally unique Identifiers, and/or have > argued that generating an Identifier from a MAC number (AKA > "address", though some people object to this term for MAC) or the > like will, for all practical purposes, achieve this. If ILNP was to > be used, I think there would need to be a better way of choosing > Identifiers to be globally unique than relying on MAC number etc. > The only approach I can think of would be hierarchical assignment. > However Tony argued against this on grounds of privacy (anonymity) in > (msg07131) and because of problems with bureaucracy (msg07100). > > Point 2 is the only way to prevent the "Identifier squatting" DoS > attack - and no-one has suggested a way of achieving this. > > So I conclude that ILNP can't do global mobility in a robust fashion, > due to 2 above, and also due to reliance on MAC numbers and the like > leading to some probably low, but still unacceptable, level of > Identifier clashes. > > Mobility with a locally unique Identifier is not mobility at all, at > least in the sense that most of us are aiming for. > > - Robin > _______________________________________________ > rrg mailing list > [email protected] > http://www.irtf.org/mailman/listinfo/rrg > _______________________________________________ rrg mailing list [email protected] http://www.irtf.org/mailman/listinfo/rrg
