[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
A method to prevent DoS in IPv6 DAD and Mobile IPv6
A number of recent ID:s have shown a number of potential
security deficiencies in the way IPsec is used in a number
of IPv6 signalling functions, including Duplicate Address
Detection (DAD) and Mobile IPv6 Binding Updates (BUs). The
relevant drafts include the following.
draft-arkko-icmpv6-ike-effects-00.txt
draft-nikander-ipng-address-ownership-00.txt
The so called PBK-keys (draft-bradner-pbk-frame-00.txt)
attemts to solve the Mobile IPv6 related problem by
proposing a new class of identifiers, EIDs. In some respects
that approach is similar to the HIP approach.
While thinking about the problem, an idea of using the IPv6
interface identifier as a cryptographic token appeared to me.
That is, by generating the interface identifier from components
using a cryptographic one-way function, one can "bind" the
interface identifier to the components, and the base security
on the components.
The idea is very new, and comments are solicited. Currently a
working copy of the forthcoming -00 drafts is available at
http://www.tml.hut.fi/~pnr/publications/draft-nikander-ipng-pbk-addresses-00.txt
I'll be working with the draft during my flights to Minneapolis,
posting is as soon as drafts are accepted again.
There is currently a plan to discuss related issues at the Mobile IP
WG meeting and the SAAG session on Thursday.
--Pekka Nikander
Ericsson
Follow-Ups: