Re: [DNA] Ordering Hash-based RAs

[Greg Daley <greg.daley@eng.monash.edu.au>]

Hi Erik,

Erik Nordmark wrote:
[cut]
> 
> 
> Greg,
> 
> I'm not sure I understand the attack and the impact of it.
> Are you saying that an attacker on the link can pretend to be a DNA 
> router and select its IID so that it is more or less guaranteed to be 
> the router ranked first?
> Then the "attack" is that this router will just ignore the RAs, with the 
> impact being that the hosts have to wait a few tens of milliseconds 
> until the next ranked router responds?
> 
> That doesn't sound like a serious attack, given that an attacker on the 
> link can cause all sorts of havoc (listed in the SeND threats RFC).
> 
> However, it seems like the algorithm in the draft doesn't do a good job 
> of spreading which router will respond first, since as you point out, 
> the first bits of the IID of the host are the same for EUI-64 based IIDs.
> So I think we need to fix this for reasons other than security.

I agree that the effects aren't necessarily severe.

In some environments though, it may be possible for a bogus router to
then advertise additional addresses to generate further delays.
This is much harder to do if the ordering of the router ranks is
unpredictable.

Spreading out the responses sounds like a good thing to do in any case,
as you point out though.

Greg