Re: address pair exploration, flooding and state loss

[marcelo bagnulo braun <marcelo@it.uc3m.es>]

Hi Greg,

El 26/05/2005, a las 5:39, Greg Daley escribió:

> Hi,
>
> Sorry about the delay in responding, I've been catching up.
>
> Erik Nordmark wrote:
> [cut]
> > > - a packet that refers to an existent context. This packet need to 
> > > be identified as a shim packet and must contain context 
> > > identification (i.e. context tag). In addition, the packet needs to 
> > > include a packet identifier, so that it is possible to bound the 
> > > reply to this initial packet (this is so in order to prevent some 
> > > forms of attacks similar to TCP reset attacks, where an attacker can 
> > > force a node to act as if the peer has lost its state)
> > This makes me realize that the approach to use a separate packet to 
> > detect state loss is a bit less effective than defining a "missing 
> > context" error message which is sent in response to data packets.
> > Here is an example with an error message.
> > Assume A is communicating with B using <A1, B1> as the locator pair.
> > A is seeing upper layer advise indicating that things are ok.
> > At time t0 A receives the last positive upper layer advise.
> > At some time later (t1), A should send some "test" to B.
> > But there could be two possible failures to handle:
> > 1. B lost (or garbage collected) the context state.
> > 2. <A1, B1> stopped working.
> > In #1 the best thing for A would be to test <A1, B1>.
> > In #2 the best thing for A would be to try a different locator pair.
> > If we had a "missing context" error message, then in case #1 A would 
> > have received such an error with high probability. Hence when it sees 
> > nothing coming back it can assume #2 and explore a different locator 
> > pair.
> > Without such an error message in the protocol it isn't clear to me 
> > what A's strategy should be.
>
> In order to ensure that context error messages aren't ignored like
> destination unreachables, it may be valuable to work out a way
> of verifying the messages.
>
> So either the error message needs to self-authenticate (potentially
> difficult considering context has been lost), or be used as a hint
> to the peer to check the path with further signalling.
>
> This works so long as in a resultant state checking exchange, there's
> a liveness mechanism at least (nonce?) which can be known to be fresh.

I think that the security achieved by including some random nonce 
present in the original packet in the error packet would be good 
enough. such approach would imply that only on path attackers can 
generate fake error messages.
Probably this can be complemented by a context reestablishment 
strategy, in order to re create the lost context. In case that the 
context has not been lost, peers should be able to detect it.

As i think we concluded a while ago, the key point is that these 
particular error messages cannot be sent spontaneously, but must be 
sent as a reply to a packet of the context (which must carry this 
random nonce)

this, i guess imposes that data packets of the context, that need to be 
demuxed, need not only to carry the context tag, but also this security 
nonce.

Regards, marcelo


> For self-authentication, you'd basically require the original
> data sender to have enough context left to authenticate the peer,
> based on their IP address information (For example if CGA
> addresses were locators, and the public key was known).
> Timestamp information gathered previously for the CGA address
> may be able to be used to ensure freshness.
>
> Some of these mechanisms were used in SEND, but become suspect
> for devices which have lost context state on the other side of the
> Internet.  It's possible to say though, that if the error message
> contains a valid signature and timestamp, it's immediately verified.
>
> I guess the "hint+check" mechanism is a fair one in general though.
> The hint could be afforded more or less weight if it was impossible
> to verify a CGA signature or the timestamp was out of bounds.
>
> Greg