Re: Redir games with ARP and ICMP

[flegel () MAIL BRAUNSCHWEIG NETSURF DE (Ulrich Flegel)]

A. Cox wrote:

AC> You have a fundamental problem, and this is why neither IPv6 or bootp
AC> are any more secure to these forms of attack. Unless you burn keys
AC> into the roms or onto the disks of hosts by a non IP method you will
AC> never be able to set up the first secure session to learn the others -
AC> you have a problem akin to a PGP web of trust with nobody else to
AC> trust. With IPv6 you can at least theoretically implement IP-ESP
AC> (encryption headers) even on link layer "neighbour discovery" packets.

You'll  need those host-local keys in every case, yes.  Otherwise you'd have
to fear the man in the middle.

AC> In IPv6 there is local IPv6 rather than ARP thus one day we can crypt
AC> those too.

Which  is  probably  no  good  idea  because  the  amount  of data you crypt
determines  the weakness of the key in use.  You'd better use the host-local
key to establish some new SPI with your neighbour via some KMP.  But the KMP
access  will  trigger ICMPv6 neighbour discovery traffic.  To cope with this
problem  you'd  have  to  specify  static SPI's between all of your machines
(n*(n-1)), which doesn't scale well.  It's all not THAT easy, is it?

 Read ya later,...
                   Ulrich.

PS:   See  http://www.ibr.cs.tu-bs.de/general/papers/sicherheit-flegel.ps.gz
for  further security implications of the IPv6 suite.  It's my master thesis
and  it's written in german language, so probably it's not an option for all
of you.