> Perhaps the draft discusses this, but when you handle an
> early binding update, when is "HoA check" in the binding
> cache updated?
Hi Erik,
you are right: An Early Binding Update message is authenticated by a key
which was produced with a Home Keygen Token. The correspondent node
must verify this authentication. (I think this is what you refer to as
a "HoA check [update]".) So here again, if ingress filtering was
employed at the mobile node's (i.e., the attacker's) access network,
the mobile node (attacker) would not be able to fake the IP source
address of the Early Binding Update message as well as of any data
packet.
As an aside: An Early Binding Update message is authenticated in the
same way as a standard Mobile IPv6 Binding Update message when used by
a mobile node which returns to its home network and wishes to delete an
existing binding.
When the correspondent node receives an Early Binding Update message, it
updates the associated binding-cache entry, which then becomes
tentative. The updated, tentative binding-cache entry is equivalent to
a standard Mobile IPv6 binding-cache entry, except that its lifetime is
shorter.
Best regards
- Christian
|
| Christian Vogt
| Institute of Telematics, University of Karlsruhe
| www.tm.uka.de/~chvogt/
|
Quoting Erik Nordmark <Erik.Nordmark@xxxxxxx>:
> > => this is the first property, the second is to be
> > immune to the ingress filtering (the CoA is the source
> > address and is the address of the victim so the
> > ingress filtering is the proper defense).
>
> Are you saying that the source address of the BU must
> be the (new) CoA?
>
> Hmm - maybe that is sufficient in the MIPv6 case (I have
> multi6 in the back of my head as well, which has a
> variant of the same issues.)
>
> Perhaps the draft discusses this, but when you handle an
> early binding update, when is "HoA check" in the binding
> cache updated?
>
> In basic MIPv6 this happens when the BU is processed
> i.e. after that the MN can no longer send packets with
> the old CoA as the source since the Home Address option
> check will drop such packets. If the same thing applies
> in the early binding update case it means that the
> attacker can not send any "ack" packets to the CN since
> they would contain the "old" CoA - oops - they would not
> carry a home address option thus they would not be
> subject to "the HOA and IP src must match the binding
> cache" check. Hmm...
>
> Erik
-------------------------------------------------------------
This message was sent through ATIS: http://atiswww.ira.uka.de
|
