Threats Relating to Transport Layer Protocols Handling Multiple Addresses draftohtamulti6threats00.t

1
Threats Relating to Transport Layer Protocols
Handling Multiple Addressesltdraft-ohta-multi6-thr
eats-00.txtgt

• Masataka Ohta
• Tokyo Institute of technology
• mohta_at_necom830.hpcl.titech.ac.jp

2
Multihoming and Multiple Addresses

• To not to bloat the global routing table
• Sites and small ISPs should have multiple
  prefixes assigned from their upstream
• Multiple IP Addresses are mapped to a single
  transport entity session by session
• The Internetworking layer is connectionless
• Can not support session or its state
• Transport layer takes care of the addresses

3
Threats Identified

• Connection Hijacking with False Peer Address
• New DDoS Opportunity with False Source
  Information
• New DoS Opportunity on Identification
• Privacy on Identification

4
Connection Hijacking with False Peer Address

• Hosts in multihomed sites may be supplied a false
  peer address from an attacker, which redirect
  existing connection to a wrong location.
• Not a new threat
• MITM can rewrite DNS answers
• MITM can rewirte URLs of HTTP sessions
• Protected by cookies of transport protocols

5
New DDoS Opportunity with False Source Information

• Hosts may be used for distributed DoS to damage
  the rest of the Internet
• DoS amplification is the problem
• Not a new threat
• DNS reply is often longer than query
• DoS bandwidth amplified
• M6 protocols should not reply so long or so much
  replies for a short query packet

6
New DoS Opportunity on Identification

• Depending on a way to identify a host, the host
  may be subject to DoS
• PK cryptography is computationary expensive
• Never perform PK computation (if any) without a
  cookie exchange
• not a protection against MITM

7
Privacy on Identification

• Depending on a way to identify a host, hosts may
  not be able to hide its privacy
• IDs should be able to be temporary
• Locators can not be hidden