Randall R. Stewart (home) wrote:

Now as to the applicability in SCTP and ADD-IP...

There is a difference with mobile-ip in that an SCTP association is already
established. Each node CN and MN have "connection" state. There has
been a 64bit random value exchanged and the "ADD-IP" which is equivialant
of the "BU" can be verified with this random state that the ends are
maintaining. The real issue shows up in that if you are worried about
an ease-dropper that can "see" the initial INIT/INIT-ACK exchange
between the two peers. In that case it would then have the 64bits of randomness
and could "inject" the false ADD/DEL that would hi-jack the association. Of
course it could do other things too like knock down your assocation as well
by sending a false ABORT chunk....

Yes. Unless you are encrypting the whole session, on-path attackers can already do almost anything. They can start a session for you. They can abort a session for you. They can hijack a session from you. They can modify a session.

It is good to see that the routing infrastructure is believed to be non-compromised
in MIP case. If we can make the same assumption then with one minor
tweak we can add a mechanism to SCTP to authenticate the ADD-IP with
private-public key pairs shared in the INIT/INIT-ACK. The obvious
problem with this would be if the infrastructure was compromised and you
had a true man in the middle who could intercept the INIT/INIT-ACK packets and
change the keys... but that goes away if we make the same assumption MIP did :>

The question you have to ask is: What is the difference between the "Internet as is" and "Internet with ADD-IP (or MIP)". You can do the analysis case by case, such as for plaintext communications and for cryptographically protected communications and with or without the compromised infrastructure. For instance, assuming plaintext SCTP packets, presumably in the current Internet all on-path attackers will be able launch the attacks I listed above. But I hope that not everyone in the whole Internet will be able to e.g. disconnect SCTP sessions from a given host. The same properties should stay if you add a feature such as ADD-IP. On the other hand, if we assume that the routing infrastructure is compromised, then even in the current Internet I can go and intercept your plain sessions and cause all kinds of interesting problems. I would allow this to happen even with ADD-IP, as long as it does not make the problem worse.

With cryptographic protection (e.g. IPsec) on the SCTP packets,
you should be safe even from on-path attackers. Again, if you add
ADD-IP feature the same property should stay. Note that there are
some DoS attacks that remain regardless of cryptographic protection.
For instance, by interfering with ARP/ND you could block the flow
of packets.

--Jari






Reply via email to