[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [DNA] Small security flaw in Hash FastRA (with proposal)

To: Greg Daley <gregd@research.panasonic.com>
Subject: Re: [DNA] Small security flaw in Hash FastRA (with proposal)
From: Christian Vogt <chvogt@tm.uka.de>
Date: Tue, 18 Apr 2006 22:49:20 +0200
Cc: dna@eng.monash.edu.au
In-reply-to: <4444FB97.6000007@research.panasonic.com>
References: <442D9354.9060000@research.panasonic.com><444407E1.8030603@tm.uka.de> <44440B4E.8010501@research.panasonic.com><44443022.6030005@tm.uka.de> <4444FB97.6000007@research.panasonic.com>
Sender: owner-dna@ecselists.eng.monash.edu.au
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de-DE; rv:1.7.5)Gecko/20041206 Thunderbird/1.0 Mnenhy/0.7.3.0

>> Deterministic FastRA could be an option for networks where RA
>> ordering is important and routers can mutually authenticate each
>> other, such as NETLMM.  This wouldn't break things; the routers
>> would just ignore the Nonce option used by MNs in RSs and come up
>> with their own, deterministic RA ordering.
> 
> That's not exactly what I meant :)

:-)

> I'd really prefer there's one solution, if possible.

Yep, that's certainly right.

What I meant is that NETLMM routers could really use any (possibly
proprietary) mechanism for scheduling RAs.  Even if the DNA
specification defined MN-generated nonces to randomize the input for the
FastRA scheduling algorithm, that really would not keep NETLMM routers
from using their own solution for both security and scheduling.

There would certainly be problems where different administrative domains
overlap, but I'm not sure if NETLMM is currently chartered for such
scenarios.  Same thing for deployments with heterogeneous access
technologies.

Be it as it may, I agree with you in that there should be one single DNA
mechanism.

- Christian

-- 
Christian Vogt, Institute of Telematics, University of Karlsruhe
www.tm.uka.de/~chvogt/pubkey/



Greg Daley wrote:
> Christian Vogt wrote:
> 
>> Hi Greg!
>> 
>>> I think that we have been trying very hard to not require
>>> explicit trust between routers, as we already had a solution
>>> which did that, called Deterministic FastRA.
>> 
>> 
>> I see, so much the better.
>> 
>> Deterministic FastRA could be an option for networks where RA 
>> ordering is important and routers can mutually authenticate each 
>> other, such as NETLMM. This wouldn't break things; the routers 
>> would just ignore the Nonce option used by MNs in RSs and come up 
>> with their own, deterministic RA ordering.
> 
> 
> That's not exactly what I meant :)
> 
> I'd really prefer there's one solution, if possible.
> 
> The solution would drop straight in to a constrained network 
> scenario, but wouldn't work in a scenario with any form of mixed 
> deployment (caveat deployer!).
> 
> At this stage, let's see what the issues are which need resolving, 
> and we'll work out what the solutions are from there (I really like 
> HashFastRA, and it has the blessing of DT and WG).
>
> Greg
>

References:
- [DNA] Small security flaw in Hash FastRA (with proposal)
  - From: Greg Daley <gregd@research.panasonic.com>
- Re: [DNA] Small security flaw in Hash FastRA (with proposal)
  - From: Christian Vogt <chvogt@tm.uka.de>
- Re: [DNA] Small security flaw in Hash FastRA (with proposal)
  - From: Greg Daley <gregd@research.panasonic.com>
- Re: [DNA] Small security flaw in Hash FastRA (with proposal)
  - From: Christian Vogt <chvogt@tm.uka.de>
- Re: [DNA] Small security flaw in Hash FastRA (with proposal)
  - From: Greg Daley <gregd@research.panasonic.com>

Prev by Date: Re: [DNA] Small security flaw in Hash FastRA (with proposal)
Next by Date: [DNA] Dallas meeting minutes.
Prev by thread: Re: [DNA] Small security flaw in Hash FastRA (with proposal)
Next by thread: [DNA] Dallas meeting minutes.
Index(es):
- Date
- Thread