[MEXT] Issue #2: Recommendation for closure on on "Use of DHAAD mechanism"

To: mext at ietf.org
Subject: [MEXT] Issue #2: Recommendation for closure on on "Use of DHAAD mechanism"
From: "Charles E. Perkins" <charles.perkins at earthlink.net>
Date: Fri, 27 Jun 2008 13:22:19 -0700
Cc: Julien Laganier <julien.IETF at laposte.net>
Delivered-to: ietfarch-mip6-web-archive at core3.amsl.com
Delivered-to: mext at core3.amsl.com
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=earthlink.net; b=SPKaDBx936M24FTaNnMDfy003WbR7DaSrpnHu3xo5lwBPeLHJEiyJxuDR5RjolhC; h=Received:Message-ID:Date:From:Organization:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding:X-ELNK-Trace:X-Originating-IP;
In-reply-to: <200803271024.49601.julien.IETF@laposte.net>
List-archive: <http://www.ietf.org/pipermail/mext>
List-help: <mailto:mext-request@ietf.org?subject=help>
List-id: Mobile IPv6 EXTensions WG <mext.ietf.org>
List-post: <mailto:mext@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=unsubscribe>
Organization: Wichorus Inc.
References: <200803271024.49601.julien.IETF@laposte.net>
Sender: mext-bounces at ietf.org
User-agent: Thunderbird 2.0.0.14 (Windows/20080421)



Hello folks,

After 80,000 messages, discussion about the DHAAD
discovery message suddenly stopped when, it seemed
to me, a resolution was nearly at hand.  After reading
through the "harmful" ID that was submitted, I imported
a bit of text for another try at a resolution to be used in
rfc3775bis.  Here is the resulting modification to
Julien's previous effort.

------------------------------------------------------------------------
OLD:

15.5.  Dynamic Home Agent Address Discovery

  The dynamic home agent address discovery function could be used to
  learn the addresses of home agents in the home network.

  The ability to learn addresses of nodes may be useful to attackers
  because brute-force scanning of the address space is not practical
  with IPv6.  Thus, they could benefit from any means which make
  mapping the networks easier.  For example, if a security threat
  targeted at routers or even home agents is discovered, having a
  simple ICMP mechanism to easily find out possible targets may prove
  to be an additional (though minor) security risk.

  Apart from discovering the address(es) of home agents, attackers will
  not be able to learn much from this information, and mobile nodes
  cannot be tricked into using wrong home agents, as all other
  communication with the home agents is secure.

NEW:

15.5.  Dynamic Home Agent Address Discovery

  The dynamic home agent address discovery function could be used to
  learn the addresses of home agents in the home network.

  The ability to learn addresses of nodes may be useful to attackers
  because brute-force scanning of the address space is not practical
  with IPv6.  Thus, they could benefit from any means which make
  mapping the networks easier.  For example, if a security threat
  targeted at routers or even home agents is discovered, having a
  simple ICMP mechanism to easily find out possible targets may prove
  to be an additional (though minor) security risk.

*  This document does not define any authentication mechanism for
*  dynamic home agent address discovery messages. Therefore the home
*  agent cannot verify the home address of the mobile node that
*  requested the list of home agents.

  Apart from discovering the address(es) of home agents, attackers will
  not be able to learn much from this information, and mobile nodes
  cannot be tricked into using wrong home agents, as all other
  communication with the home agents is secure.

*  In cases where additional security is needed, one may consider
*  instead the use of MIPv6 bootstrapping [RFC5026] (based on
*  DNS SRV Resource Records [RFC2782]) in conjunction with security
*  mechanisms suggested in these specifications.  In that solution,
*  security is provided by the DNSSEC [RFC4033] framework.  The needed
*  pre-configured data on the mobile node for this mechanism is the
*  domain name of the mobile service provider, which is marginally better
*  than the home subnet prefix.  For the security, a trust anchor which
*  dominates the domain is needed.
*
*  Finally, it should be noted that the specification of ICMP to carry
*  DHAAD incurs a certain deployability risk related to the perceived
*  insecurity of ICMP messages.  Many ISPs are blocking ICMP on all links
*  except the first hop, because ICMP is known to be a vehicle for DoS
*  attacks and other sorts of threats.

------------------------------------------------------------------------

Regards,
Charlie P.




_______________________________________________
MEXT mailing list
MEXT at ietf.org
https://www.ietf.org/mailman/listinfo/mext

Follow-Ups:
- Re: [MEXT] Issue #2: Recommendation for closure on on "Use of DHAAD mechanism"
  - From: Arnaud Ebalard

References:
- [MEXT] [RFC3775 changes] Closure on on "Use of DHAAD mechanism"
  - From: Julien Laganier

Prev by Date: [MEXT] Issue #1: Last accepted SQN
Next by Date: [MEXT] [mext] #5: Wrong protocol number used in discussion about checksum pseudo-header:
Previous by thread: Re: [MEXT] [RFC3775 changes] Closure on on "Use of DHAAD mechanism"
Next by thread: Re: [MEXT] Issue #2: Recommendation for closure on on "Use of DHAAD mechanism"
Index(es):
- Date
- Thread

[MEXT] Issue #2: Recommendation for closure on on "Use of DHAAD mechanism"

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.