Christian Huitema wrote:
SEND secures the mapping between an IPv6 address and a MAC address, but it does nothing to guarantee that the L2 topology actually delivers the packets to the intended destination. When we expand all that energy signing neighbor discovery packets, have we really improved security?
SEND is just one part of the overall puzzle, not the sole answer to all problems. And solutions usually are unable to prevent all problems. In particular, whatever you do, its hard for endpoints to ensure that their packets are not stopped, redirected, modified, or looked at en route. One thing you can do is to ensure that the packets are protected so that these attacks, if performed, would not have an impact beyond denial-of-service. That's why we have protocols such as TLS or IPsec*.
Another thing you can do is to ensure that such attacks are harder to launch or at least that they can not be launched from anywhere. This is where SEND helps. Basically, SEND prevents the use of L3 control protocols to hijack sessions. Of course, a router or learning bridge that legitimately gets the traffic could still send it to someone else or to the trashcan. But it would be great if we could at least prevent outsiders, such as people that plug into an Ethernet port at an office, from doing this.
But an attack below layer 3 will still get you into trouble.
This includes things like wireless attacks, e.g., an open
wireless LAN or spoofing your L2 address to a switch that
looks at source MACs. Various methods exist to deal with
these issues, starting from a switch locking into to a MAC
address upon first usage on a port ("Learn and Lock" on
some equipment).See also Section 9.1 in the SEND protocol document.
--Jari
*) Earlier, we even considered doing per-packet cryptographic protection based on SEND. This would be your zero-config .1X variant.
-------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
