Hi Julien
On Fri, 20 Nov 2009, Laganier, Julien wrote:
Tony,
If a router is compromised, it can send a RA containing a PIO with the L bit
set to zero, and thus two hosts on the link trying to communicate will sends
their packets to the router and will not attempt to resolve each others'
address. Doing so, it can mount a MiTM attack of siphon off packets sent by a
host. This is acknowledged in section 4.2.1. of RFC 3756.
Indeed, I forgot this L flag. You're right.
Regarding the fe80::/64 prefix, it does not need to be advertized by the router
or proxy. It should be assumed that a ND proxy is always authorized to proxy
signaling for the fe80::/64 prefix. That does not need to be signaled in the
certificate, it has to be written down in the draft however :)
This is a good way to go (other way around seems to add the fe80::/64 prefix to
the Secure Proxy ND's certificate). However, can you add a security
consideration specific to this new "rule" ? I see a security issue here.
From RFC 4861, section 4.6.2 (the Prefix Information Option):
"A router SHOULD NOT send a prefix option for the link-local prefix and a host
SHOULD ignore such a prefix option."
Meaning that the attack in 4.2.1 of RFC 3756 "SHOULD NOT" work on two nodes
communicating directly using their link-local addresses (as the PIOs sent by
the router will more likely be ignored).
Here, the Secure Proxy ND seems to be able to siphon off the communication of
the same two nodes using their link-local addresses (as it is always authorized
to proxy signaling for the fe80::/64 prefix).
Maybe I am (again) missing something here.
Regards,
Tony
_______________________________________________
CGA-EXT mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/cga-ext
