Hi Tony, Thanks for your comments. Please see responses inline.
Tony Cheneau wrote:
Hello, I've gone through draft-ietf-csi-proxy-send-00 and I have some comments. You state in section 5: The Secure Proxy ND becomes part of the trusted infrastructure just like a SEND router. The Secure Proxy ND is granted a certificate that specifies the range of addresses for which it is allowed to perform proxying of SEND messages. Hosts can use the same process to discover the certification path between a proxy and one of the host's trust anchors as the one defined for routers in Section 6 of SEND specification [RFC3971]. As far as I understand, once you authorize a node to act as a Proxy with a certificate, if the proxy gets corrupted, it can update Neighbor Cache value of all the nodes on the link. Am I right ?
Yes. You are right. This situation needs to be fixed by detecting this and revoking the certificate of the proxy.
If so, maybe you should add a statement in the Security Considerations indicating that as specified the protocol is prone to Good Router Gone Bad attacks.
OK. Will do.
I think this attacks should be mitigated by using a Token generated by the proxied node and sent to a proxy to authorize it to actually "proxy" the address. This token will be carried in every proxied messages (modified by the proxy). It will prove the receiver that the proxied node authorized the proxy to act as such.
This is not always possible since the proxied node is not always aware of the existence of the proxy. e.g. the ND proxies are transparent to the proxied node. That is why we opted to use a certificate issued by the trusted infrastructure.
Cheers Suresh _______________________________________________ CGA-EXT mailing list [email protected] https://www.ietf.org/mailman/listinfo/cga-ext
