Re: Recovering from multiple routers advertising routes

To: debian-ipv6@lists.debian.org
Subject: Re: Recovering from multiple routers advertising routes
From: Peter Cordes <peter@llama.nslug.ns.ca>
Date: Wed, 21 May 2003 22:32:50 -0300
Message-id: <[🔎] 20030522013250.GD22870@llama.nslug.ns.ca>
Mail-followup-to: debian-ipv6@lists.debian.org
In-reply-to: <[🔎] 17B72BFE-8644-11D7-B503-00039317863E@suespammers.org>
References: <[🔎] 21554924.1052925040@cerveny.internet2.edu> <[🔎] 17B72BFE-8644-11D7-B503-00039317863E@suespammers.org>

On Wed, May 14, 2003 at 03:41:44PM -0400, Anthony DeRobertis wrote:
> 
> On Wednesday, May 14, 2003, at 03:10 PM, Bill Cerveny wrote:
> 
> >This was also the engineer's point -- he felt IPv4 DHCP was broken in 
> >this manner and this broken behavior was being perpetuated via IPv6 
> >router advertisements.
> 
> Well, the only solutions are really:
> 
> 	a) Static adressing
> 	b) Signed announcements, with replay protection
> 	c) layer-three switches to only allow announcements from certain
> 	   ports
> 
> (c) is the only solution that doesn't nullify the benefits of autoconf, 
> but it's expensive. (b) requires configuration on each host, and 
> possibly even a lot of state keeping (for replay prevention) which 
> defeats the autoconf goal.

 Couldn't you do (b) the way SSH handles server public keys?  When you first
set up networking, assume the first DHCP offer/v6 router adv you get is
legit.  Download the public key which signed the advertisment, and check
that it matches the signature.  If an interactive network config tool is
running (as is likely for the first advertisment seen), the ID of the signer
could be displayed, confirmation asked for (as in the first connection to a
new server with SSH), etc.

 This way, only computers that are newly set up while an attack is under way
are affected with anything more than a potential DOS.  Affected computers
would see it as an attack when the attacker _stopped_ sending advertisments,
because the legit ones would have a different key.  It would, as you say,
require saving a lot of state.  You might even need a way for the server
to tell clients to forget the old key, in case that was needed for
something.  The clients could be configured to listen to advertisments
signed with 1, 2, or more different keys.  (if a machine should accept
advertisments from only a single trusted identity, then it should be told
that, so it knows that any advertisments signed with new IDs are attacks,
and not some new source of legitimate advs.)

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X(peter@llama.nslug. , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BC

Reply to:

Follow-Ups:
- Re: Recovering from multiple routers advertising routes
  - From: Anthony DeRobertis <asd@suespammers.org>

References:
- Re: Recovering from multiple routers advertising routes
  - From: Bill Cerveny <cerveny@internet2.edu>
- Re: Recovering from multiple routers advertising routes
  - From: Anthony DeRobertis <asd@suespammers.org>

Prev by Date: Re: Recovering from multiple routers advertising routes
Next by Date: Re: Recovering from multiple routers advertising routes
Previous by thread: Re: Recovering from multiple routers advertising routes
Next by thread: Re: Recovering from multiple routers advertising routes
Index(es):
- Date
- Thread