Re: [Mip4] Current state of 3012bis solicited agent advertisement issue.

To: Henrik Levkowetz <henrik@levkowetz.com>
Subject: Re: [Mip4] Current state of 3012bis solicited agent advertisement issue.
From: Pete McCann <mccap@lucent.com>
Date: Thu, 21 Aug 2003 00:30:52 -0500
Cc: "Charles E. Perkins" <charliep@iprg.nokia.com>, mip4@ietf.org
In-reply-to: <20030820010840.33d169eb.henrik@levkowetz.com>
List-help: <mailto:mip4-request@ietf.org?subject=help>
List-id: Mobility for IPv4 <mip4.ietf.org>
List-post: <mailto:mip4@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/mip4>,<mailto:mip4-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/mip4>,<mailto:mip4-request@ietf.org?subject=unsubscribe>
References: <20030813103506.3f0c4305.henrik@levkowetz.com><3F42A64D.BA9A067D@iprg.nokia.com><20030820010840.33d169eb.henrik@levkowetz.com>
Sender: mip4-admin@ietf.org

Hi,

Just to amplify on one point made by Henrik:

Henrik Levkowetz writes:
 > > > - Add the following at the end of Section 12:
 > > > 
 > > >     Note that an active attacker may try to prevent successful
 > > >     registrations by sending a large number of Agent Solicitations or
 > > >     bogus Registration Requests, each of which could cause the FA to
 > > >     respond with a fresh challenge, invalidating the challenge that the
 > > >     MN is currently trying to use.  To prevent such attacks, the FA
 > > >     SHOULD repeat the same challenge value in successive unicast
 > > >     responses to Agent Solicitations or in Registration Replies to
 > > >     Requests that did not contain valid MN-AAA or MN-FA authentication
 > > >     extensions for some limited period of time (on the order of 60
 > > >     seconds).  Note that each challenge returned to an MN MUST be
 > > >     previously unused by that MN.
 > > 
 > > Even better if the foreign agent allows more than one mobile node
 > > to use the same challenge value.  Why not?
 > 
 > This is the case with multicast challenges, of course. But currently we
 > only require the FA to remember one individual challenge per mobile
 > node, and if an impostor has the ability to invalidate that one (by
 > causing it to be replaced by a newer one) it has blocked the mobile from
 > succeeding in its next registration attempt.

A good way to think about this problem is to realize that the FA is
keeping state (look at Appendix E): there is the global list of
challenges and then there is the per-MN data structure that includes
one unused challenge per MN.  If we ever allow unauthenticated
messages (such as ordinary solicitations or bogus Registration
Requests) to trigger a modification of this state, then we are in
trouble.

-Pete


_______________________________________________
Mip4 mailing list
Mip4@ietf.org
https://www.ietf.org/mailman/listinfo/mip4

References:
- [Mip4] Current state of 3012bis solicited agent advertisement issue.
  - From: Henrik Levkowetz
- Re: [Mip4] Current state of 3012bis solicited agent advertisement issue.
  - From: Charles E. Perkins
- Re: [Mip4] Current state of 3012bis solicited agent advertisement issue.
  - From: Henrik Levkowetz

Prev by Date: Re: [Mip4] Current state of 3012bis solicited agent advertisement issue.
Next by Date: [Mip4] WG last call follow-up for vpn traversal problem statement
Previous by thread: Re: [Mip4] Current state of 3012bis solicited agent advertisement issue.
Next by thread: [Mip4] New Issue: 3102bis Stale Challenge may cause a DOS
Index(es):
- Date
- Thread

Re: [Mip4] Current state of 3012bis solicited agent advertisement issue.

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.