[e2e] It's all my fault

David P. Reed dpreed at reed.com
Tue May 15 06:48:58 PDT 2007 

Randy Bush wrote:
>
> btw, i am not against source routing.  but i am strongly for reality based
> discussion.  on that line, do folk have more minimal proposals for plugging
> the rthdr0 hole?
>   
Can we characterize the "hole" and the range of its impact (i.e. like 
any bug report, let's have an honest attempt to decide how important it 
is in the scheme of things).   I doubt that the language is proper:  I 
use  "hole" in quotes because it's not a security hole anymore than the 
ability to send a packet to an arbitrary destination (the *core* 
function of IP) is a hole - if that packet triggers a vulnerability in 
that destination, it's not the addressability that is the hole...  IP as 
a layer provides no guarantees that packets may not appear at the wrong 
place sometimes, or be delayed or duplicated (meaning that packets must 
be accepted with care, whereever they arrive!)

So if RTHDR0 is a "hole" it is a hole in the so-called "firewall 
security model".  But that security model has been thoroughly 
discredited as a mechanism for providing security against system 
vulnerabilities by years of experience. (IMO).   The firewall security 
model is described by the first book about it (Bellovin and Cheswick) as 
something that helps one deal with systems that were not properly 
secured in the first place (in those days it was Unix boxes with wide 
open unsecured services like NFS).   A "hole" in Swiss cheese is redundant.

We have known for years how to do reliable authentication with various 
protocols based in cryptographic signature and limited-life keys.   In 
fact, some of those ideas are well articulated in IPv6 by some darned 
thoughtful people.   So if there are vulnerabilities exposed by the 
ability to route in a particular way, the long-term sensible solution is 
not to limit routing, but to use a standardized solution: proper 
authentication of those commands and requests that are not properly 
authenticated today.

The biggest network layer hole today is the *dependency* on undebuggable 
address rewriting rules implemented by aggressive middleboxes that have 
been extended beyond their usefulness to actually be crucially part of a 
topological security model.   The idea that a hotel can prevent botnets 
from operating by blocking magical port numbers or acting as a 
man-in-the-middle by pretending (as most do) that their port 25 server 
is at the IP address of my email server (this should be illegal 
wirefraud, if I had Jon Gilmore's cash, I would bring a case...).   Note 
that I said *dependency* (as in addiction) above.   The rewriting can be 
detected and prevented by end-to-end authentication.   But what is 
problematic is how much of the Internet (and how much of the security 
community) has entered into the false belief state that firewalls are 
the core of Internet security.

In fact, the Internet was designed at a time when it was already clear 
that an *Inter*-net would be of such a scope that one *could not* expect 
the network to provide security for the endpoints.   Steve Kent and 
others worked hard (though NSA barred them from participating in the 
Internet project per se) to develop end-to-end security approaches that 
recognized the point that the catenet transport layer of the Internet 
was not the place to embed security - for the basic reason outlined in 
the "end to end argument" - security is inherently a concern of the 
endpoints among the endpoints - not something that a transport layer can 
even fully comprehend.

Thus, in answer to your question - for any particular class of attacks 
that might be amplified by routing capabilities, one first should look 
to fix the actual vulnerabilities at the application or network 
management layer where those attacks manifest themselves.

Some of those vulnerabilities remain despite known fixes.   My bete noir 
is the arpspoofing and DHCP attacks that are based on protocols that 
should NEVER have been designed the way they are, without security.   
And in both cases, security mechanisms are known and available, but not 
deployed - instead the discredited "firewall" idea continues to patch 
around them, and then people get burnt by them in new places - i.e. 
Airport WiFi hotspots...



>

More information about the end2end-interest mailing list