Hi, Perhaps there is another potential danger that should be considered. One node may have more than one IP addresses, but only one interface in IPv6. We assume that node X has IPa and IPb. Its layer-2 address is MACx. According to FCFS, firstly node X uses IPa. A entry with IPa and MACx is created in SAVI device DB. The node X uses IPb. And another entry with IPb and MACx also is created. The node X may use IPb all the time. Now we should note that if an attacker sends packets with IPa and MACx, the SAVI device will do nothing but forwarding the forged packets. This case must be faced by FCFS. Dong Zhang ----- 原始邮件 ----- 发件人: marcelo bagnulo braun <marcelo at it.uc3m.es> 日期: 2008年 12月 19日, 星期五, 上午3:11 主题: Re: [savi] Working Group Adoption of Individual SAVI Documents 收件人: Frank Xia <xiayangsong at huawei.com> 抄送: SAVI Mailing List <savi at ietf.org>, Christian Vogt <christian.vogt at ericsson.com> > Hi Frank, > > some comments below... > > Frank Xia escribió: > > Hi Christian > > > > I was not in the against list of FCFS, however, > > I did express my concerns of the solution. > > > > The main idea is trying to build a > > source address validation rule using the first data packet. IMHO, > > > this solution is vulnerable. > > > > It seems to be hard to deal with the following scenarios: > > 1)A host is authorized to use a static address, while > > the host does not connect the network > right, we need to think how to deal with this case > one obvious option is that since the address is manually configured > in > the host, it can also be manually included in the SAVI cache, so it > knows that has been manually assigned > I understand that some people actually manually configure MAC- IP > address associations to perform this type of checks > > > > > 2)A IPv6 host periodically changes it's interface ID > > from privacy consideration. > not sure why this is a problem, could you expand? > > > 3)In dynamic address configuration, an IP address > > can be reused by other hosts. > > > this is no problem, the current draft actually deals with this > > Regards, marcelo > > > > BR > > Frank > > > > > > ----- Original Message ----- From: "Christian Vogt" > > <christian.vogt at ericsson.com> > > To: "SAVI Mailing List" <savi at ietf.org> > > Sent: Wednesday, December 17, 2008 11:14 PM > > Subject: [savi] Working Group Adoption of Individual SAVI Documents > > > > > >> Dear all - > >> > >> At the previous SAVI meeting in Minneapolis, we did a vote regarding > >> which individual documents to use as starting points for the SAVI > >> working group deliverables. I would now like to confirm this decision > >> from Minneapolis here on the mailing list. > >> > >> The result of the vote in Minneapolis was thus: > >> > >> - To adopt draft-mcpherson-savi-threat-scope as a starting point > for the > >> Threats Analysis (Problem Statement) document: 7 in favour, 0 > >> against. > >> > >> - To adopt draft-vogt-savi-rationale as a starting point for the > >> Rationale document: 7 in favour, 0 against. > >> > >> - To adopt draft-bagnulo-savi-fcfs as a starting point for both > the IPv4 > >> and IPv6 Solution documents: 11 in favour, 2 against. > >> > >> - To adopt draft-bagnulo-savi-send as a starting point for the > >> SeND-based IPv6 Solution document: 8 in favour, 1 against. > >> > >> Arguments raised by those voting against the adoption of one of the > >> individual documents above related to potential security vulnerabilities > >> or potential issues with mobile hosts. Both arguments would need > to be > >> addressed as the working group deliverables are being advanced. > >> > >> Please express on this mailing list whether or not you agree with > the > >> above documents being adopted by the SAVI working group as starting > >> points for the various working group deliverables. Please also state > >> the reasons in case you are against one of the documents being adopted. > >> > >> - Christian > >> > >> > >> _______________________________________________ > >> savi mailing list > >> savi at ietf.org > >> https://www.ietf.org/mailman/listinfo/savi > >> > > > > _______________________________________________ > > savi mailing list > > savi at ietf.org > > https://www.ietf.org/mailman/listinfo/savi > > > > _______________________________________________ > savi mailing list > savi at ietf.org > https://www.ietf.org/mailman/listinfo/savi >
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.