Erik Nordmark wrote: > One of the issues here is that 5 years from now, if an MN cares about > the security that the existing (old) MIPv6 correspondent nodes require > for BUs for that MNs home address, how can the MN express it?
The semantics of a two way protocol can't be encoded in a single unidirectional bit. > If you leave this decision up to the CN things are quite different. The decision will always be up to the CN. Even with the proposed bit, all the MN can do is indicate its expectations and hope. If the MN really wants assurance, there will have to be a return message from the CN that indicates how it will handle any BU. If you are into a bi-directional protocol, address bits are not the place to encode it. > > Perhaps you don't think it is necessary for the MN to be able > to express > this. But it is the packets to that MN that are being "redirected" by > an attacker. > Yes, but there is nothing the MN can do about that without feedback from the CN about how it will handle a BU. Simply setting a bit does not assure that the CN will act acording to the MN's intentions. In draft-montenegro-mipv6sec-bit-method-00.txt, the point in 2.1.1 The hope is that eventually, Alice will give up and use its weak address, at which point, Mallory will let the traffic through, presumably, because it can break the protocol: is simply bogus. If Alice cares about strong, the connection will simply never happen in the scenario described. In reality the connection will happen, because the premise in the preceding paragraph this is much simpler than rewriting Alice's address with a "weak" address and then sending the packet to Bob. is also bogus. It would be much easier for Mallory to act as a NAT (and flip the strong/weak bit) than to try to guess that some subsequent weak address actually belonged to Alice. The claim on pg 14 furthers this failed line of reasoning: Note that an active attacker on the path between Alice and Bob is able to clear a set bit. However, that changes the address, and Alice is not going to answer to any possible replies sent by Bob. Thus, the bit prevents the attacker from impersonating as Alice and fooling Bob to use the less secure protocol. because it assumes that the operation is unidirectional. All Mallory has to do is act as a well understood NAT and set it back on the return path so Alice would be none the wiser. Tony -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------