-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proof of transit: mention why it is not needed #34
Conversation
draft-dekater-scion-dataplane.md
Outdated
Moreover, packet integrity protection is not enough if there are two colluding adversaries on the path. These colluding adversaries can forward the packet between them using a different path than selected by the source endpoint: The first on-path attacker remodels the packet header arbitrarily, and the second on-path attacker changes the path back to the original source-selected path, such that the integrity check by the destination endpoint succeeds. | ||
Under the assumptions for this attack to be possible, each of the malicious on-path adversary may already inspect/copy traffic, therefore this attack does not represent an additional security gap. | ||
To prevent this attack and to defend against multiple on-path adversaries in general, proof of transit is required, which is not in scope for this document, given the marginal benefit. | ||
Moreover, packet integrity protection is not enough if there are two colluding adversaries on the path. These colluding adversaries can forward the packet between them using a different path than selected by the source endpoint: The first on-path attacker remodels the packet header arbitrarily, and the second on-path attacker changes the path back to the original source-selected path, such that the integrity check by the destination endpoint succeeds. Under the assumptions for this attack to be possible, each of the malicious on-path adversary may already inspect/copy traffic, therefore this attack does not represent an additional security gap. To prevent this attack and to defend against multiple on-path adversaries in general, proof of transit is required, which is not in scope for this document, given the marginal benefit. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I propose a slightly different wording, because I think that, as it is, the last sentence seems to contradict the rest. May be the explanation below is clearer? Not binding, keep your text if you prefer it.
Moreover, packet integrity protection is not enough if there are two colluding adversaries on the path. These colluding adversaries can forward the packet between them using a different path than selected by the source endpoint: The first on-path attacker remodels the packet header arbitrarily, and the second on-path attacker changes the path back to the original source-selected path, such that the integrity check by the destination endpoint succeeds. However, such an attack is of little value. An on-path adversary can inspect/copy/disrupt the traffic that reaches it without diverting the traffic away from the sender-chosen path. For this reason proof-of-transit, which would be required to detect such an attack, has little benfit in the context of SCION and is not in scope for this document.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, I used a slightly edited version of your wording
Follow up to scionassociation/scion-cp_I-D#52