INTERNET DRAFT                                                   M. Ohta
draft-ohta-multi6-threats-00.txt           Tokyo Institute of Technology
                                                           February 2004

Threats Relating to Transport Layer Protocols Handling Multiple Addresses

Status of this Memo

   This document is an Internet-Draft and is subject to all provisions
   of Section 10 of RFC2026.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet- Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/1id-abstracts.html

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html

Abstract

   This document lists security threats related to IPv6 multihoming
   solutions, transport layer protocols of which are expected to handle
   multiple addresses of a host and an identity of the host is
   recognized not necessarily by a single address.

   The intent is to look at how IPv6 multihoming solutions might make
   the Internet less secure than the current Internet, without studying
   any proposed solution but instead looking at threats that are
   inherent in the problem itself.

1. Security Considerations

   With the current Internet, most transport layer protocols identifies
   a host with a single address.

   However, for scalable multihoming, transport layer protocols are
   expected to handle multiple addresses of a host and an identity of
   the host is recognized not necessarily by a single address.

   Then, there are four new possibility of security threats.

      Connection Hijacking with False Peer Address
         hosts in multihomed sites may be supplied a false peer address
         from an attacker, which redirect existing connection to a wrong
         location.



M. Ohta                 Expires on August 3, 2004               [Page 1]


INTERNET DRAFT              Security Threats               February 2004


      New DDoS Opportunity with False Source Information
         hosts may be used for distributed DoS to damage the rest of the
         Internet

      New DoS Opportunity on Identification
         depending on a way to identify a host, the host may be subject
         to DoS

      Privacy on Identification
         depending on a way to identify a host, hosts may not be able to
         hide its privacy

   The following subsections analyze the threats with or without MITM
   (Man in the Middle).

1.1. Connection Hijacking with False Peer Address

   If a host has connected communicating with a peer, and if a transport
   layer protocol allows dynamic address set change during a connection,
   an attacker may be able to supply false information on source address
   of the peer to the host to hijack the connection.

   On the current Internet, where connections are identified by a pair
   of addresses, which is fixed during connection, this kind of attack
   is not possible at the transport layer. However, similar attack is
   possible at upper layers. For example, an attacker may rewrite URLs
   in HTML text over HTTP over TCP to hijack a web browsing session. Or,
   an attacker may rewrite DNS reply of IP addresses during URL
   resolution or at the initiating phase of an application layer
   connection. As a protection against such attacks, transport and/or
   upper layer protocols use cookie or cookie like information, such as
   randomized port number, TCP sequence number, DNS message id and so
   on.

   Without assuming MITM, existing transport and/or upper layer
   protocols using cookie or cookie like information can be naturally
   extended as a reasonable protection against connection hijacking by
   false source information.

   Of course, cookie is powerless against MITM and once a forged source
   address, URL or DNS answer is supplied by MITM, the effect will be
   persistent even after the MITM goes away.

   If transport layer protocols handling multiple addresses of a host
   does not have cookie or cookie like mechanism at least as strong as
   that of TCP and still allow dynamic address set change during
   connection, there will be a new security threat of connection
   hijacking.

1.2. New DDoS Opportunity with False Source Information

   On the current Internet, an attacker can send a packet with forged
   source address expecting that a reply packet is sent to host of the
   source address, as DDoS attack to the host.  There often is some



M. Ohta                 Expires on August 3, 2004               [Page 2]


INTERNET DRAFT              Security Threats               February 2004


   amplification possible. For example, DNS reply is often a lot longer
   than query.  The attacked host has no way to know the location of the
   attacker from the attacking packets, sender of which often does not
   even have logging.

   Transport layer protocols handling multiple addresses of a host is
   subject to similar attack.

   If transport layer protocols handling multiple addresses of a host
   has DoS amplification property worse than the current Internet hosts,
   there will be the existing security threat of DDoS will be more
   serious.

1.3. New DoS Opportunity on Identification

   If a host has an identification involves computationally expensive
   security mechanism, it can be used for DoS attack to the host.

   On the current Internet, cookie is exchanged before performing the
   computationally expensive process, though mere holding of cookie
   information can be expensive operation as exemplified by TCP SYN
   flooding.

   Cookie protection, of course, is powerless against MITM.

   If transport layer protocols having new connection identification
   mechanism does not support initial cookie exchange, there will be a
   new security threat of DoS.

1.4. Privacy on Identification

   If transport layer protocols having new connection identification
   requires hosts having persisting identification information, it will
   be used to track the identify of the host, which is a new security
   threat.

2. Author's Address

   Masataka Ohta
   Graduate School of Information Science and Engineering
   Tokyo Institute of Technology
   2-12-1, O-okayama, Meguro-ku, Tokyo 152-8552, JAPAN

   Phone: +81-3-5734-3299
   Fax: +81-3-5734-3299
   EMail: mohta@necom830.hpcl.titech.ac.jp











M. Ohta                 Expires on August 3, 2004               [Page 3]