Randall R. Stewart (home) wrote:
Now as to the applicability in SCTP and ADD-IP...
There is a difference with mobile-ip in that an SCTP association is already
established. Each node CN and MN have "connection" state. There has
been a 64bit random value exchanged and the "ADD-IP" which is equivialant
of the "BU" can be verified with this random state that the ends are
maintaining. The real issue shows up in that if you are worried about
an ease-dropper that can "see" the initial INIT/INIT-ACK exchange
between the two peers. In that case it would then have the 64bits of
randomness
and could "inject" the false ADD/DEL that would hi-jack the association. Of
course it could do other things too like knock down your assocation as well
by sending a false ABORT chunk....
Yes. Unless you are encrypting the whole session, on-path attackers can
already do almost anything. They can start a session for you. They can
abort a session for you. They can hijack a session from you. They can
modify a session.
It is good to see that the routing infrastructure is believed to be
non-compromised
in MIP case. If we can make the same assumption then with one minor
tweak we can add a mechanism to SCTP to authenticate the ADD-IP with
private-public key pairs shared in the INIT/INIT-ACK. The obvious
problem with this would be if the infrastructure was compromised and you
had a true man in the middle who could intercept the INIT/INIT-ACK
packets and
change the keys... but that goes away if we make the same assumption MIP
did :>
The question you have to ask is: What is the difference between the
"Internet as is" and "Internet with ADD-IP (or MIP)". You can do the
analysis case by case, such as for plaintext communications and
for cryptographically protected communications and with or without
the compromised infrastructure. For instance, assuming plaintext
SCTP packets, presumably in the current Internet all on-path attackers
will be able launch the attacks I listed above. But I hope that
not everyone in the whole Internet will be able to e.g. disconnect SCTP
sessions from a given host. The same properties should stay if you
add a feature such as ADD-IP. On the other hand, if we assume that
the routing infrastructure is compromised, then even in the current
Internet I can go and intercept your plain sessions and cause all kinds
of interesting problems. I would allow this to happen even with ADD-IP,
as long as it does not make the problem worse.
With cryptographic protection (e.g. IPsec) on the SCTP packets,
you should be safe even from on-path attackers. Again, if you add
ADD-IP feature the same property should stay. Note that there are
some DoS attacks that remain regardless of cryptographic protection.
For instance, by interfering with ARP/ND you could block the flow
of packets.
--Jari