Proof of transit: mention why it is not needed #34
Conversation
draft-dekater-scion-dataplane.md
Outdated
| Moreover, packet integrity protection is not enough if there are two colluding adversaries on the path. These colluding adversaries can forward the packet between them using a different path than selected by the source endpoint: The first on-path attacker remodels the packet header arbitrarily, and the second on-path attacker changes the path back to the original source-selected path, such that the integrity check by the destination endpoint succeeds. | ||
| Under the assumptions for this attack to be possible, each of the malicious on-path adversary may already inspect/copy traffic, therefore this attack does not represent an additional security gap. | ||
| To prevent this attack and to defend against multiple on-path adversaries in general, proof of transit is required, which is not in scope for this document, given the marginal benefit. | ||
| Moreover, packet integrity protection is not enough if there are two colluding adversaries on the path. These colluding adversaries can forward the packet between them using a different path than selected by the source endpoint: The first on-path attacker remodels the packet header arbitrarily, and the second on-path attacker changes the path back to the original source-selected path, such that the integrity check by the destination endpoint succeeds. Under the assumptions for this attack to be possible, each of the malicious on-path adversary may already inspect/copy traffic, therefore this attack does not represent an additional security gap. To prevent this attack and to defend against multiple on-path adversaries in general, proof of transit is required, which is not in scope for this document, given the marginal benefit. |
There was a problem hiding this comment.
I propose a slightly different wording, because I think that, as it is, the last sentence seems to contradict the rest. May be the explanation below is clearer? Not binding, keep your text if you prefer it.
Moreover, packet integrity protection is not enough if there are two colluding adversaries on the path. These colluding adversaries can forward the packet between them using a different path than selected by the source endpoint: The first on-path attacker remodels the packet header arbitrarily, and the second on-path attacker changes the path back to the original source-selected path, such that the integrity check by the destination endpoint succeeds. However, such an attack is of little value. An on-path adversary can inspect/copy/disrupt the traffic that reaches it without diverting the traffic away from the sender-chosen path. For this reason proof-of-transit, which would be required to detect such an attack, has little benfit in the context of SCION and is not in scope for this document.
There was a problem hiding this comment.
Thanks, I used a slightly edited version of your wording
Follow up to scionassociation/scion-cp_I-D#52