Re: [IPsec] draft-ietf-ipsecme-failure-detection-01 -- issue 193

Sun, 17 Oct 2010 05:57:18 -0700 

Hi Frederic,
I understand the scenario now and I agree that a solution is needed. But I have two issues, one general and one specific: 


- Even though there are no interoperability implications, I think we 
should specify the token format. This will prevent people from making 
some security-critical design mistakes. In other words, we should have 
*one* token generation method.



- The proposed method uses the taker's IP address, making some 
assumptions on the load balancer's behavior. But what if the load 
balancer behaves a bit differently, e.g. by including the source port in 
the decision function? Such a system will still have the vulnerability. 
What if we choose instead to include the *maker* identity (a sequential 
member number, or a private IP, or even a MAC address)? This would 
prevent another member from re-generating the same token for an 
attacker, and as a side benefit, will not require token changes when the 
client is roaming.


Thanks,
        Yaron

On 15/10/10 11:53, Frederic Detienne wrote:

Hi Yaron,

In response to issue 193. For reference:

--8<--
Section 9.3: this entire discussion is probably redundant, because when a node 
fails in the LS cluster, you switch to another node. Implementing QCD on top of 
this is probably an overkill. If we remove this section, we can get rid of sec. 
5.2 as well, and we can focus on a single recommended way to generate the 
token, which would make analysis that much easier.
--8<--

9.3 has been moved to 10.4 under security consideration. I will refer to 10.4 
instead of 9.3 from now on.

The token generation method highlighted in 5.1 presents a security risk 
highlighted in section 10.4.

We can not get rid of 5.2 nor 10.4, however we could make it clearer that 5.2 
is the recommended token generation method when the risk highlighted in10.4 is 
present.

Regards,

        fred

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec






















					Reply via email to