[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [DNA] Route vs Advertise

To: Sathya Narayanan <sathya@research.panasonic.com>
Subject: Re: [DNA] Route vs Advertise
From: James Kempf <kempf@docomolabs-usa.com>
Date: Mon, 06 Jun 2005 12:26:03 -0700
Cc: greg.daley@eng.monash.edu.au, Erik Nordmark <erik.nordmark@sun.com>, Dna <dna@eng.monash.edu.au>
References: <429F4329.1040807@Research.Panasonic.COM><42A0733E.2060403@Research.Panasonic.COM><02b701c5689f$7f935d20$5e6015ac@dcml.docomolabsusa.com><42A49905.1030406@Research.Panasonic.COM>
Sender: owner-dna@ecselists.eng.monash.edu.au

> >Note that this does not imply that the router advertisement should be
> >considered insecure, just the uncertified prefix. If the advertisement
has a
> >signature verifiable with the router's certified public key, then the
router
> >is trustworthy.
> >
> >
> I understand.
>
> Do you think we need to say 'the prefixes in the DNAO SHOULD NOT be
> verified against the prefixes listed in the certificate' in DNAv6?
>

AFIKT, the DNAO is really only useful in multicast RAs. If the RA is
unicast, then the "yes" or "no" bit will be enough to tell the host whether
or not it is on or off link, the host cannot use the DNAO to configure the
address, and it need not use the prefixes in the DNAO to tell whether it is
on or off link because the router does that directly through the "yes/no"
bit. (BTW, why again is the DNAO required in unicast RAs if the host isn't
on link?)

So the host will make its on or off link decision based on the DNAO if it
gets a multicast RA. As long as the RA is covered by a signature, the host
knows that it wasn't modified in transit, that is, that it came from a
router possessing the private key matching the certified public key. Now, it
is possible that the router may be compromised and the attacker may try to
convince the host that it is on or off link when it isn't by sending out a
collection of bogus DNAO prefixes. If we want to exclude this possibility,
then we should require the DNAO prefixes to be compared against those in the
certificate as well. But since the host doesn't use these for address
configuration or routing, there should be no possibility that the host is
convinced to route through a bogus router (though if the router sending the
RA is compromised, it can, of course, make trouble for packets that are
routed through it even if the host selects a certified prefix).

That is a somewhat longwinded way of saying that SHOULD NOT is probably OK.

            jak

References:
- [DNA] Route vs Advertise
  - From: Sathya Narayanan <sathya@research.panasonic.com>
- Re: [DNA] Route vs Advertise
  - From: Sathya Narayanan <sathya@research.panasonic.com>
- Re: [DNA] Route vs Advertise
  - From: James Kempf <kempf@docomolabs-usa.com>
- Re: [DNA] Route vs Advertise
  - From: Sathya Narayanan <sathya@research.panasonic.com>

Prev by Date: Re: [DNA] Route vs Advertise
Next by Date: Re: [DNA] Revised text for link-information Ethernet section forcomment
Prev by thread: Re: [DNA] Route vs Advertise
Next by thread: Re: [DNA] Route vs Advertise
Index(es):
- Date
- Thread