分享
 
 
 

RFC1675 - Security Concerns for IPng

王朝other·作者佚名  2008-05-31
窄屏简体版  字體: |||超大  

Network Working Group S. Bellovin

Request for Comments: 1675 AT&T Bell Laboratories

Category: Informational August 1994

Security Concerns for IPng

Status of this Memo

This memo provides information for the Internet community. This memo

does not specify an Internet standard of any kind. Distribution of

this memo is unlimited.

Abstract

This document was submitted to the IETF IPng area in response to RFC

1550. Publication of this document does not imply acceptance by the

IPng area of any ideas eXPressed within. Comments should be

submitted to the big-internet@munnari.oz.au mailing list.

Overview and Rationale

A number of the candidates for IPng have some features that are

somewhat worrisome from a security perspective. While it is not

necessary that IPng be an improvement over IPv4, it is mandatory that

it not make things worse. Below, I outline a number of areas of

concern. In some cases, there are features that would have a

negative impact on security if nothing else is done. It may be

desirable to adopt the features anyway, but in that case, the

corrective action is mandatory.

Firewalls

For better or worse, firewalls are very mUCh a feature of today's

Internet. They are not, primarily, a response to network protocol

security problems per se. Rather, they are a means to compensate for

failings in software engineering and system administration. As such,

firewalls are not likely to go away any time soon; IPng will do

nothing to make host programs any less buggy. Anything that makes

firewalls harder to deploy will make IPng less acceptable in the

market.

Firewalls impose a number of requirements. First, there must be a

hierarchical address space. Many address-based filters use the

structure of IPv4 addresses for Access control decisions.

Fortunately, this is a requirement for scalable routing as well.

Routers, though, only need access to the destination address of the

packet. Network-level firewalls often need to check both the source

and destination address. A structure that makes it harder to find

the source address is a distinct negative.

There is also a need for access to the transport-level (i.e., the TCP

or UDP) header. This may be for the port number field, or for access

to various flag bits, notably the ACK bit in the TCP header. This

latter field is used to distinguish between incoming and outgoing

calls.

In a different vein, at least one of the possible transition plans

uses network-level packet translators [1]. Organizations that use

firewalls will need to deploy their own translators to aid in

converting their own internal networks. They cannot rely on

centrally-located translators intended to serve the entire Internet

community. It is thus vital that translators be simple, portable to

many common platforms, and cheap -- we do not want to impose too high

a financial barrier for converts to IPng.

By the same token, it is desirable that such translation boxes not be

usable for network-layer connection-laundering. It is difficult

enough to trace back attacks today; we should not make it harder.

(Some brands of terminal servers can be used for laundering. Most

sites with such boxes have learned to configure them so that such

activities are impossible.) Comprehensive logging is a possible

alternative.

IPAE [1] does not have problems with its translation strategy, as

address are (insofar as possible) preserved; it is necessary to avoid

any alternative strategies, such as circuit-level translators, that

might.

Encryption and Authentication

A number of people are starting to experiment with IP-level

encryption and cryptographic authentication. This trend will (and

should) continue. IPng should not make this harder, either

intrinsically or by imposing a substantial perforance barrier.

Encryption can be done with various different granularities: host to

host, host to gateway, and gateway to gateway. All of these have

their uses; IPng must not rule out any of them. Encapsulation and

tunneling strategies are somewhat problematic, as the packet may no

longer carry the original source address when it reaches an

encrypting gateway. (This may be seen more as a constraint on

network topologies. So be it, but we should warn people of the

limitation.)

Dual-stack approaches, such as in TUBA's transition plan [2], imply

multiple addresses for each host. (IPAE has this feature, too.) The

encryption and access control infrastructure needs to know about all

addresses for a given host, belonging to whichever stack. It should

not be possible to bypass authentication or encryption by aSKINg for

a different address for the same host.

Source Routing and Address-based Authentication

The dominant form of host authentication in today's Internet is

address-based. That is, hosts often decide to trust other hosts

based on their IP addresses. (Actually, it's worse than that; much

authentication is name-based, which opens up new avenues of attack.

But if an attacker can spoof an IP address, there's no need to attack

the name service.) To the extent that it does work, address-based

authentication relies on the implied accuracy of the return route.

That is, though it is easy to inject packets with a false source

address, replies will generally follow the usual routing patterns,

and be sent to the real host with that address. This frustrates

most, though not all, attempts at impersonation.

Problems can arise if source-routing is used. A source route, which

must be reversed for reply packets, overrides the usual routing

mechanism, and hence destroys the security of address-based

authentication. For this reason, many organizations disable source-

routing, at least at their border routers.

One candidate IPng -- SIPP -- includes source-routing as an important

component. To the extent this is used, it is a breaks address-based

authentication. This may not be bad; in fact, it is probably good.

But it is vital that a more secure cryptographic authentication

protocol be defined and deployed before any substantial cutover to

source routing, if SIPP is adopted.

Accounting

An significant part of the world wishes to do usage-sensitive

accounting. This may be for billing, or it may simply be to

accomodate quality-of-service requests. Either way, definitive

knowledge of the relevant address fields is needed. To accomodate

this, IPng should have a non-intrusive packet authentication

mechanism. By "non-intrusive", I mean that it should (a) present

little or no load to intermediate hops that do not need to do

authentication; (b) be deletable (if desired) by the border gateways,

and (c) be ignorable by end-systems or billing systems to which it is

not relevant.

References

[1] Gilligan, R., and E. Nordmark, "IPAE: The SIPP Interoperability

and Transition Mechanism", Work in Progress, March 16, 1994.

[2] Piscitello, D., "Transition Plan for TUBA/CLNP", Work in

Progress, March 4, 1994.

Security Consierations

This entire memo is about Security Considerations.

Author's Address

Steven M. Bellovin

Software Engineering Research Department

AT&T Bell Laboratories

600 Mountain Avenue

Murray Hill, NJ 07974, USA

Phone: +1 908-582-5886

Fax: +1 908-582-3063

EMail: smb@research.att.com

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有