Marcelo Barbosa Lima
2003-01-06 15:31:38 UTC
I understand what you are saying. For this case, I think exaclty in manual configuration. Using pre-shared secret or certificate digital. Really, the objetcive is to limit mobilility to only networks where the MN is permited (I dont want stranger laptops loging in my network :-). In public networks (cellular network, for example), authentication can be null (authentication would be take care to higher layers). One similar solution to IEEE 802.11b. In ARP and DHCP, this is impossible. So, in MIPv4 never can have this aditional security. Some authentication is more secure than no authentication. Manual key can be used in controlled and private enviroments. In the practice, nobody will want unkown hosts connected in your network. In public networks where we dont have pre-shared secrets or public Key Infrastructure, authentication can be done in higher layers. So, The possibility of implement authentication is real. This makes me to believe that MIPv6 is more secure than MIP4 !
regarding this subject.
Best Regards,
Marcelo.
-----Mensagem original-----
De: Pekka Savola [mailto:***@netcore.fi]
Enviada em: segunda-feira, 6 de janeiro de 2003 12:17
Para: Marcelo Barbosa Lima
Cc: ***@arc.net.my; Thakur, Anand; ***@sunroof.eng.sun.com;
***@i2r.a-star.edu.sg
Assunto: Re: RES: RES: (ngtrans) IPv6 tranisition issues
down and consider what it actually requires to make it work.
Therein is a bootstrapping problem.
Manual keying is possible but very burdensome, as you will also have to
create security associations with link-local multicast addresses. Of
course, this is only possible in subnets where you know which nodes will
be there so pre-configuration will be possible (wrt. e.g. WLAN hotspots
are not so.)
The IETF web page is down at the moment, but check SEND working group
page when it's available. In particular check out these drafts:
draft-ietf-send-psreq-00.txt (under revision, new tentative version posted
on the list)
draft-arkko-manual-icmpv6-sas-01.txt
regarding this subject.
Best Regards,
Marcelo.
-----Mensagem original-----
De: Pekka Savola [mailto:***@netcore.fi]
Enviada em: segunda-feira, 6 de janeiro de 2003 12:17
Para: Marcelo Barbosa Lima
Cc: ***@arc.net.my; Thakur, Anand; ***@sunroof.eng.sun.com;
***@i2r.a-star.edu.sg
Assunto: Re: RES: RES: (ngtrans) IPv6 tranisition issues
"Neighbor Discovery protocol packet exchanges can be authenticated
using the IP Authentication Header [IPv6-AUTH]. A node SHOULD
include an Authentication Header when sending Neighbor Discovery
packets if a security association for use with the IP Authentication
Header exists for the destination address. The security associations
may have been created through manual configuration or through the
operation of some key management protocol.
Received Authentication Headers in Neighbor Discovery packets MUST be
verified for correctness and packets with incorrect authentication
MUST be ignored.
Yeah, the language is wishy-washy -- when specifying, people didn't situsing the IP Authentication Header [IPv6-AUTH]. A node SHOULD
include an Authentication Header when sending Neighbor Discovery
packets if a security association for use with the IP Authentication
Header exists for the destination address. The security associations
may have been created through manual configuration or through the
operation of some key management protocol.
Received Authentication Headers in Neighbor Discovery packets MUST be
verified for correctness and packets with incorrect authentication
MUST be ignored.
down and consider what it actually requires to make it work.
It SHOULD be possible for the system administrator to configure a
node to ignore any Neighbor Discovery messages that are not
authenticated using either the Authentication Header or Encapsulating
Security Payload. The configuration technique for this MUST be
documented. Such a switch SHOULD default to allowing unauthenticated
messages.
Confidentiality issues are addressed by the IP Security Architecture
and the IP Encapsulating Security Payload documents [IPv6-SA, IPv6-
ESP]."
In a local enviroment is relatively more simple to create secutity
associates between peers. Even PKI solution can be implemented. There
are some purposes regarding authentication in Neighbor discovery
protocol. I looked for a RFC/draft about it, but I did not find it.
Please, who know where I can find it email me. If it is hard to
implement, I think that it is not, because is more simple to establish
SAs in local network. Regards,
How do you implement automatic keying when you don't have an IP address?node to ignore any Neighbor Discovery messages that are not
authenticated using either the Authentication Header or Encapsulating
Security Payload. The configuration technique for this MUST be
documented. Such a switch SHOULD default to allowing unauthenticated
messages.
Confidentiality issues are addressed by the IP Security Architecture
and the IP Encapsulating Security Payload documents [IPv6-SA, IPv6-
ESP]."
In a local enviroment is relatively more simple to create secutity
associates between peers. Even PKI solution can be implemented. There
are some purposes regarding authentication in Neighbor discovery
protocol. I looked for a RFC/draft about it, but I did not find it.
Please, who know where I can find it email me. If it is hard to
implement, I think that it is not, because is more simple to establish
SAs in local network. Regards,
Therein is a bootstrapping problem.
Manual keying is possible but very burdensome, as you will also have to
create security associations with link-local multicast addresses. Of
course, this is only possible in subnets where you know which nodes will
be there so pre-configuration will be possible (wrt. e.g. WLAN hotspots
are not so.)
The IETF web page is down at the moment, but check SEND working group
page when it's available. In particular check out these drafts:
draft-ietf-send-psreq-00.txt (under revision, new tentative version posted
on the list)
draft-arkko-manual-icmpv6-sas-01.txt
-----Mensagem original-----
Enviada em: segunda-feira, 6 de janeiro de 2003 10:10
Para: Marcelo Barbosa Lima
Assunto: Re: RES: (ngtrans) IPv6 tranisition issues
protocol) are easy to implment. DHCP can also be bypassed easily. So,
neighbour protocol with AH is more secure solution. Regards,
Less market speak, more technology, please.
Securing the neighbor protocol with AH is _hard_.
Please check out SEND working group.
Enviada em: segunda-feira, 6 de janeiro de 2003 10:10
Para: Marcelo Barbosa Lima
Assunto: Re: RES: (ngtrans) IPv6 tranisition issues
Yes, in a typing fury I forgot/missed the IPv6 solution for mobility.
IPv6 is streamlined and designed for mobility in mind. Again there are
the patches in IPv4, although riddled with triangular routing issues.
But then again is there anyone really into mobile IP? And I use NTT
DoCoMo and likes in Japan as examples for this and not a 'hotspot' cafe
answer on 802.11.
In IPv4, attacks against ARP protocol (mobile IPv4 trusts in ARPIPv6 is streamlined and designed for mobility in mind. Again there are
the patches in IPv4, although riddled with triangular routing issues.
But then again is there anyone really into mobile IP? And I use NTT
DoCoMo and likes in Japan as examples for this and not a 'hotspot' cafe
answer on 802.11.
protocol) are easy to implment. DHCP can also be bypassed easily. So,
neighbour protocol with AH is more secure solution. Regards,
Securing the neighbor protocol with AH is _hard_.
Please check out SEND working group.
--
Pekka Savola "Tell me of difficulties surmounted,
Netcore Oy not those you stumble over and fall"
Systems. Networks. Security. -- Robert Jordan: A Crown of Swords
Pekka Savola "Tell me of difficulties surmounted,
Netcore Oy not those you stumble over and fall"
Systems. Networks. Security. -- Robert Jordan: A Crown of Swords