Guang Yao escribió: > -----邮件原件----- > 发件人: marcelo bagnulo braun [mailto:marcelo at it.uc3m.es] > 发送时间: 2008年12月29日 3:12 > 收件人: Guang Yao > 抄送: 'Christian Vogt'; 'Lin Tao'; 'Frank Xia'; 'SAVI Mailing List' > 主题: Re: 答复: [savi] Working Group Adoption of Individual SAVI Documents > > Guang Yao escribió: > >> Dear Christian and Lin, >> >> It's clear that snooping ND cannot achieve better performance and security >> > > >> than snooping data traffic. Actually snooping ND may cost more for it must >> trace >> the state of DAD. >> >> But IMO, it is not an issue of resource saving, but an issue that what >> > SAVI > >> is intending >> to protect. If the SAVI device snoops ND to bind address and anchor, it >> protects >> good guys who are working according to the standard. But if it snoops data >> traffic and >> binds address and anchor using the principle of FCFS, bad behaviors, such >> > as > >> attacks against >> DAD, are protected. >> >> Mr. Fred Baker once gave us a convincing example: when an attacker >> > receives > >> a >> DAD NS, it immediately sends a packet with source address set to the >> > Target > >> Address in the NS >> to make the SAVI device set up binding without replying a NA. Then the DAD >> node, although has finished >> a successful DAD, cannot use the tentative address for the SAVI device >> > will > >> take its traffic as spoofing traffic. >> >> >> > but the attacker could send a NADV replying to the DAD NS and would > achieve the same effect in a NS-based SAVI approach, wouldn't it? > I mean, i fail to see how you improve security if you rely on ND than > when you rely on data packets... (FWIW, this is completelly orthogonal > to the FCFS appraoch, since FCFS may apply both to data packets or to ND > packets) > > Regards, marcelo > > No, it wouldn't. Because the attacker has not finished a DAD to achieve the > ownership > of the Target Address in the NADV message, the SAVI device wouldn't bind > this address > with its anchor. And in this situation, the tentative node just fails to get > an address and it > knows that clearly. But in FCFS case, it doesn't know the address assigned > has been bound > with another node, and it will try to send "spoofing" packets. > > right, i agree that the failure modes are different. I think we are having two somehow orthogonal issues here: - On one hand we are discussing what is the type of address ownership proof that we want to have. I think that irrespectively whether you use control messages or data packets, you can use the FCFS principle as address ownership. I mean, in both cases, the first node that sends a packet with a given address claims the address ownership. The first packet can be a data packet or a NS or NADV packet, but it is FCFS principle all the way. I don't thing you are propising a different address ownership proof afaict - On the other hand, there is the disucssion if we do this based on data packets or using control packets, in particular NSol and NAdv). I don't have a problem in doing it in both. I don't think you can do it only with control packets. In particular, consider the case of optimistic DAD. In that case, the node starts using the address even wihtout having the DAD completed. Moreover, DAD is a one time operation that is succesfull when there is no reply. So if we have a transite failure duringt he DAD period, and packets are not delivered to the SAVI device during that time, SAVI would fail. I do agree that it would be interesting to evaluate if looking into ND messages could help to prevent some scenarion as the one you mention above. But i think that a solution that solely relies in ND messages would be not very robust (i.e. it would fail if the DAD packet is lost for instance) > And I mentioned SAVI must control the NA messages, for the Target Address in > the NA message is another kind of source address. If the SAVI device has set > up > a binding table, it can filter spoofed NA with ease. > > It may be argued that in any situation, a node can avoid replying to NS > message even the > Target Address has been assigned to it, and the tentative node will be > assigned duplicated and "spoofing" address. > But still it is very different because the probability for two node to > generate same address is little and the possible damage > Is trivial. > But if an attacker designedly attacks against the tentative address, the > consequence is very bad. Unfortunately, FCFS > using data traffic makes this situation possible. > > IMO, binding address using data traffic is wrong because data traffic is not > defined to have the > function of assigning address to node. It is the necessary condition but not > sufficient condition. > > > but the problem is that there is no sufficient condition for knowing that a node has configured an address. I mean, DAD messages can be lost and they are only sent once in a nion reliable fashion. In addition, nodes do optimistic DAD and start using the address without waiting for the DAD to be completed. So, if you want to design a robust mechanism you need to deal with all that, and using data packets seem the ultimate line (In order to deal with the attack you mention, the SAVI device can sniff DAD packets and identify the suggested attacks if it first sees a DAD packet and then a data packet with the same address and no DAD reply to the original request... of course this makes the logic more comlex) Regards, marcelo >> Although it is rather a security problem of ND then the fault of SAVI, the >> SAVI device is >> protecting bad doings in the example. >> >> I think SAVI should at least protect normal behaviors and good guys, but >> > not > >> protect bad behaviors. >> >> I also think SAVI should protect the Target Address in NA message, for it >> > is > >> another kind of source address. >> >> Guang >> -----邮件原件----- >> 发件人: Christian Vogt [mailto:christian.vogt at ericsson.com] >> 发送时间: 2008年12月23日 18:36 >> 收件人: Lin Tao >> 抄送: Frank Xia; Marcelo Bagnulo Braun; SAVI Mailing List; 姚 广 >> 主题: Re: [savi] Working Group Adoption of Individual SAVI Documents >> >> Lin - >> >> I agree with you that DoS is an unsolved issue that we have yet to >> tackle. However, I don't think we can solve the issue, for all address >> configuration methods, simply by changing which packets we snoop. SLAAC >> in particular is an address configuration method where an attacker can >> overload a SAVI device just as easily with control packets (i.e., >> Neighbor Solicitation packets) as with datagram packets. >> >> The only scenario in which snooping control packets instead of datagram >> packets could mitigate the DoS issue is where addresses are exclusively >> assigned via DHCP. A SAVI device can then exclusively rely on messages >> being sent by a server (not directly by the attacker), such that a DoS >> attack against a SAVI device reduces to the existing threat of a DoS >> attack against a DHCP server. >> >> FWIW: Some SAVI participants were considering a DHCP-only option for >> SAVI during IETF 73. >> >> - Christian >> >> >> >> On Dec 22, 2008, Lin Tao wrote: >> >> >> >>> Hello, Christian, Marcelo and Frank: >>> >>> I agree with Frank's view. Because the forwarding packet is >>> observed in FCFS draft, so the forwarding process is disrupted, >>> and the device is vulnerable, e.g. savi cache table exhausted, >>> the cpu of switch busy, etc. >>> >>> In my opinion, observing the Control Protocol, e.g. DHCP >>> or ND etc, is easy to implement in switch for these protocol >>> have special characteristic that can be filtered in switch port while >>> the forwarding packet is blocked. >>> >>> >> >> >> >> >> > > > > >
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.