Christian Huitema wrote:
The general case of proxy ND, which this specification uses, can not
provide any security against MiTM because by definition the proxy is a
MiTM. Thus it is completely unreasonably to assume that SeND will
solve this.
What do you mean, unreasonable? It is certainly possible to write and
sign something like "I am a secure host, I am behind an proxy, and the
proxy address ix X:Y:Z". Obviously, that places requirement on SEND or
ND-Proxy. SEND would have to allow a new format, or ND-Proxy would have
to allow some explicit proxy discovery. But it is certainly neither
unreasonable nor impossible.
First, I tend to agree with Erik that proxy ND document has
some serious issues.
Secondly, I'm sensing that part of this discussion is whether
an interaction between features 1 and 2 should be solved in
feature 1 or 2 spec. Of course, feature 1 folks will believe
that spec 2 (and people behind spec 2) should solve it, and
vice versa :-) But most of the time we seem to deal with
this type of a problem in the in the IETF by adding stuff
to the document that came later.
Finally, generally speaking Christian is right about his
solution. This could indeed be done. But there is also
a question mark in the solution and I'm not sure
exactly what assumptions it needs to have about the
network topology and technology. The question is how
a host knows that it should indeed be behind a proxy and
that its not simply being attacked? Perhaps we
could develop an answer to this question -- maybe we
know it for sure in some network types and in others we
could learn it in the SEND transition style. But its
still different from Erik's home agent example, because
in that example we know for sure that we have a home
agent, and we even have a security association with
it so we could use that when building some kind of a
delegation scheme.
--Jari
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
