[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Field Variance Analysis

To: perry@piermont.com
Subject: Re: Field Variance Analysis
From: Craig Metz <cmetz@sundance.itd.nrl.navy.mil>
Date: Sat, 19 Aug 1995 15:41:00 -0500
Cc: ipsec@ans.net
In-Reply-To: Your message of "Tue, 15 Aug 1995 18:39:38 -0400." <199508152239.SAA16243@frankenstein.piermont.com>

In message <199508152239.SAA16243@frankenstein.piermont.com>, perry@piermont.co
m writes:
>> 	Consider the goal of protecting source routes.
>
>I'm not sure there is a point to protecting source routes.

>Consider the following:
>
>1) The worst the attacker can do is force you to use a different route
>   than the intended one. He can force you to reply on a reversed bad
>   source route and can read your messages and keep the intended
>   recipient from reading them. However, if he's an active attacker in
>   the line he can do that anyway.

	This is true. But source routing can expand the scope of who can
be "in the line" in some cases. And it could create a class of annoyance
attacks. Imagine a world where providers charge per unit volume and you
select provider paths via source routes (this is being thought about
seriously in an IPv6 scope). If some bozo can cause large volumes of your
packets through Tokyo and Bangkok, they can run you up a nice bill. This
can also hose quality-of-service guarantees.

>2) We can't authenticate to intermediate nodes so the only thing the
>   machine on the end knows is what source route options the packet
>   was sent with, *not* what path it took.

	I disagree with your supposition that we can't authenticate to
intermediate nodes. I believe that we do not yet have a solid grasp as to how
to handle intermediate keying, but I believe that intermediate authentication
is possible and, in the case of source routes, needs to be done. For now, this
needs to be left for further study so that we can get something working, but
I don't think we should write-off intermediate network authentication
because it is a valuable topic for future work. When we start talking about
things like providers charging by usage and guaranteed qualities of service,
this may become especially important.

>Authentication makes source routing safe not because it makes the
>source routes themselves immune from attack but because it
>authenticates the endpoints.

	I think that in the here and now, this is so. I believe that in the
future, it may not be.

	In general, I have always held the opinion that source routes are
bad and should be gotten rid of. In IPv6, it would seem reasonable to me that
the flow support should be used as a stateful alternative to source routes,
which would also make security processing easier. But people really do plan
on using source routes, and some of the things they plan to use source routes
for involve money, which means that a lot of users are going to want security
guarantees for them.

								-Craig

Prev by Date: Re: Comments on IPSO and AH/ESP
Next by Date: Response to Last Call Comments for IPSEC Proposals
Prev by thread: Re: Field Variance Analysis
Next by thread: SKIP BOF minutes
Index(es):
- Main
- Thread