1 / 7

Masataka Ohta Tokyo Institute of technology mohta@necom830.hpcl.titech.ac.jp

Threats Relating to Transport Layer Protocols Handling Multiple Addresses <draft-ohta-multi6-threats-00.txt>. Masataka Ohta Tokyo Institute of technology mohta@necom830.hpcl.titech.ac.jp. Multihoming and Multiple Addresses. To not to bloat the global routing table

michelleking
Download Presentation

Masataka Ohta Tokyo Institute of technology mohta@necom830.hpcl.titech.ac.jp

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Threats Relating to Transport Layer Protocols Handling Multiple Addresses<draft-ohta-multi6-threats-00.txt> Masataka Ohta Tokyo Institute of technology mohta@necom830.hpcl.titech.ac.jp

  2. Multihoming and Multiple Addresses • To not to bloat the global routing table • Sites and small ISPs should have multiple prefixes assigned from their upstream • Multiple IP Addresses are mapped to a single transport entity session by session • The Internetworking layer is connectionless • Can not support “session” or its state • Transport layer takes care of the addresses

  3. Threats Identified • Connection Hijacking with False Peer Address • New DDoS Opportunity with False Source Information • New DoS Opportunity on Identification • Privacy on Identification

  4. Connection Hijacking with False Peer Address • Hosts in multihomed sites may be supplied a false peer address from an attacker, which redirect existing connection to a wrong location. • Not a new threat • MITM can rewrite DNS answers • MITM can rewirte URLs of HTTP sessions • Protected by cookies of transport protocols

  5. New DDoS Opportunity with False Source Information • Hosts may be used for distributed DoS to damage the rest of the Internet • DoS amplification is the problem • Not a new threat • DNS reply is often longer than query • DoS bandwidth amplified • M6 protocols should not reply so long or so much replies for a short query packet

  6. New DoS Opportunity on Identification • Depending on a way to identify a host, the host may be subject to DoS • PK cryptography is computationary expensive • Never perform PK computation (if any) without a cookie exchange • not a protection against MITM

  7. Privacy on Identification • Depending on a way to identify a host, hosts may not be able to hide its privacy • IDs should be able to be temporary • Locators can not be hidden

More Related