[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [savi] A few comments on draft-vogt-savi-framework

From: Eric Levy-Abegnoli <elevyabe at cisco.com>
To: Christian Vogt <christian.vogt at ericsson.com>
Cc: SAVI Mailing List <savi at ietf.org>, Alberto García <alberto at it.uc3m.es>
Date: Tue, 03 Nov 2009 09:53:24 +0100
In-reply-to: <ABFF6FC6-2197-42D3-9266-15E18FB605D2 at ericsson.com>
References: <871D15B0-6B49-49F4-AD94-88AC7523044C at ericsson.com> <200910231045135108459 at huaweisymantec.com> <5FDC3979-13E4-480A-A1F6-334B95E2ED66 at ericsson.com> <200910291035478406365 at huaweisymantec.com><4540D1DA-94A6-4DC9-B5B9-E9C0E32D127B at ericsson.com> <4AE93B2C.7060906 at it.uc3m.es> <CC116DCB16C143C9A95F44C955E2AB8C at bombo> <210BBA32-43EB-49EC-B9BB-0C5B9AE7C4EA at ericsson.com> <4AEEB775.5020103 at cisco.com> <ABFF6FC6-2197-42D3-9266-15E18FB605D2 at ericsson.com>

Christian Vogt a écrit :

On Nov 2, 2009, Eric Levy-Abegnoli wrote:

A savi device not SEND-capable breaks RFC3971.


Let's be a bit more specific here.  In what way would a non-SEND-capable
SAVI device break RFC 3971?  Alberto has mentioned one case -- when a
SEND host's DAD fails for the second time due to an unsecured Neighbor
Advertisement, then the SEND host will configure the IP address, yet a
non-SEND-capable SAVI device would block the IP address.  Is this the
issue you are referring to?  Then we should discuss whether or not this
is acceptable.  Or are there more issues you are thinking of?

The sole purpose of CGA is to enable a CGA-capable node to prefer CGA-prooved NDP message over a none prooved one.
If the savi device does first-come-first-serve, and is not able to verify (and prefer) CGA credentials, then there are plenty of scenarios
where it will keep the non CGA owner entry and discard traffic from the legitimate: basically all scenarios where the non-CGA came first.

But I consider keeping the bogus entry is not the worse. It also prevents CGA-capable nodes to make a RFC3971 proper decision, by not
showing them messages from the legitimate owner, provided that it came second.

This is **not** a theoritical issue. I'll give you one scenario (you asked for it :)):

1) A CGA-capable node N (typically a critical host, such as a server or a router) gets its address X in the savi binding table
2) an attacker M spots X -easy, it's multicast in NA -. He sends DAD NS every minute for target X. As long as N is there,
he gets the NS, responds with NA and that's legal.
- In parallel, M computes X' (easy), the sibling CGA address of X (with colision = 1) and DAD it. The savi device installs it in the table
- At some point N go silent (pretty common, for maintenance, move, etc). Attacker M sends its periodic DAD NS for X. The savi device thinks
it's a move and replace the legitimate owner by the attacker.
- Here is the funny part. N comes back. Do DAD for X. M responds. N tries a second address X'. It's in the binding table! M responds.
- N ignores the response (that's 3971) and start sourcing with X'. All its traffic is dropped. Including the unsolicited NA to all-nodes
- Every node on the link, including the CGA-capable now have M as X and X' owner. And the savi device is dropping all N traffic.

That's what I call highjacking.
While this is not worse than before for non-CGA capable nodes, any CGA-capable nodes on the link should have prefered N to M.
But they don't have chance to see N. So CGA (RFC3971) become pointless, useless.
Eric

- Christian

Follow-Ups:
- Re: [savi] A few comments on draft-vogt-savi-framework
  - From: Christian Vogt

References:
- [savi] Framework Document Suggestion
  - From: Christian Vogt
- [savi] A few comments on draft-vogt-savi-framework
  - From: Dong Zhang
- Re: [savi] A few comments on draft-vogt-savi-framework
  - From: Christian Vogt
- Re: [savi] A few comments on draft-vogt-savi-framework
  - From: Dong Zhang
- Re: [savi] A few comments on draft-vogt-savi-framework
  - From: Christian Vogt
- Re: [savi] A few comments on draft-vogt-savi-framework
  - From: marcelo bagnulo braun
- Re: [savi] A few comments on draft-vogt-savi-framework
  - From: Alberto García
- Re: [savi] A few comments on draft-vogt-savi-framework
  - From: Christian Vogt
- Re: [savi] A few comments on draft-vogt-savi-framework
  - From: Eric Levy-Abegnoli
- Re: [savi] A few comments on draft-vogt-savi-framework
  - From: Christian Vogt

Prev by Date: Re: [savi] A few comments on draft-vogt-savi-framework
Next by Date: Re: [savi] SAVI Solution for DHCPv4/v6
Previous by thread: Re: [savi] A few comments on draft-vogt-savi-framework
Next by thread: Re: [savi] A few comments on draft-vogt-savi-framework
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.