ietf
[Top] [All Lists]

Re: Gen-ART and OPS-Dir review of draft-wkumari-dhc-capport-13

2015-07-15 16:57:53
"Warren" == Warren Kumari <warren(_at_)kumari(_dot_)net> writes:

    Warren>    On Saturday, July 11, 2015, Christian Huitema
    Warren> <huitema(_at_)microsoft(_dot_)com>
    Warren>    wrote:

    Warren>      On Saturday, July 11, 2015 8:50 AM, joel jaeggli wrote
    >> ...  [5] Section 5:
    >> 
    >> Fake DHCP servers / fake RAs are currently a security concern -
    >> this doesn't make them any better or worse.
    >> 
    >> Please cite a reference for this, preferably with operational
    >> recommendations on limiting these problems (e.g., ensure that
    >> DHCP
    Warren>      and
    >> RA traffic cannot be injected from outside/beyond the network
    >> that
    Warren>      is relevant to the portal).  

     There is definitely an
attack vector there. Suppose an attacker can monitor the
traffic, say on an unencrypted Wi-Fi hot spot. The attacker
can see a DHCP request or INFORM, and race in a fake
response with an URL of their own choosing. The mark's
computer automatically connects there, and download some
zero-day attack.  Bingo!

    Warren>    An attacker with this level of access can already do
    Warren> this. They fake a DHCP response with themselves as the
    Warren> gateway and insert a 302 into any http connection. Or, more
    Warren> likely they simply inject malicious code into some
    Warren> connection.


I'm with Christian.  The attack he describes--injecting a URI--is less
likely in my mind to be noticed than setting up a gateway.  So, I do
consider this a new vector.