Re: Checksum in IPv6 header

To: "Iljitsch van Beijnum" <iljitsch at muada.com>
Subject: Re: Checksum in IPv6 header
From: "Vishwas Manral" <vishwas.ietf at gmail.com>
Date: Fri, 1 Feb 2008 07:28:22 -0800
Cc: "Templin, Fred L" <Fred.L.Templin at boeing.com>, Alex Conta <aconta at optonline.net>, ipv6 at ietf.org, Rahim Choudhary <rahimchoudhary at yahoo.com>, Fred Baker <fred at cisco.com>
Delivered-to: ietfarch-ipv6-web-archive at core3.amsl.com
Delivered-to: ipv6 at core3.amsl.com
In-reply-to: <819C6563-6788-4202-857D-F0FE122F5488 at muada.com>
List-help: <mailto:ipv6-request@ietf.org?subject=help>
List-id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-post: <mailto:ipv6@ietf.org>
List-subscribe: <http://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
List-unsubscribe: <http://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
References: <386586.5512.qm at web54306.mail.re2.yahoo.com> <819C6563-6788-4202-857D-F0FE122F5488 at muada.com>
Sender: ipv6-bounces at ietf.org

Hi Iljitsh,

You have a point when you say that if a malicious router could toggle
some bits, it could as well drop the packet.

However there is one small part you miss. In the above case the router
can only affect traffic going through it. It could be an attack if
toggling bits on the flows through a router, the router could actually
affect flows not going through the router. However if it could bump up
the priority(in the simplest terms) of the packets going through it,
it could affect the flows of packets on other routers, as the packets
needing the highest priority would considerably increase. Its an issue
but a slightly of a lesser priority.

Thanks,
Vishwas

On Feb 1, 2008 7:19 AM, Iljitsch van Beijnum <iljitsch at muada.com> wrote:
> On 1 feb 2008, at 16:12, Rahim Choudhary wrote:
>
> > Now if the change is in the muteable fields (DSCP, TTL) then no
> > IPSec measure seems to be able to detect that. This could be a
> > vulnerability that either causes the packets to drop on the way (TTL
> > manipulation) or assigns them to the wrong class (DSCP manipulation).
>
> Who cares?
>
> If an attacker can flip your bits she can also flip the most
> significant bit in the destination address and you'll never receive
> that packet. The only thing a cryptographic hash over the header would
> give you there is the ability to drop the packet even sooner.
>
> And how exactly are you going to have a HMAC or some such over header
> fields? That requires having secret keying material in EVERY ROUTER
> ALONG THE PATH.
>
> Can we please stop this discussion?
>
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6 at ietf.org
Administrative Requests: http://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------

References:
- Re: Checksum in IPv6 header
  - From: Rahim Choudhary
- Re: Checksum in IPv6 header
  - From: Iljitsch van Beijnum

Prev by Date: Re: Checksum in IPv6 header
Next by Date: Re: Checksum in IPv6 header
Previous by thread: Re: Checksum in IPv6 header
Next by thread: Re: Checksum in IPv6 header
Index(es):
- Date
- Thread

Re: Checksum in IPv6 header

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.