Arvind Sevalkar writes: I have a question about triangular routing In Appendix B Section "B.2 Triangular routing " it is mention that Due to the concerns about opening reflection attacks with the Home Address destination option, this specification requires that this option must be verified against the Binding Cache, i.e., there must be a Binding Cache entry for the Home Address and Care-of Address. And in section "9.3.1 Receiving Packets with Home Address Option" it is mentioned that tests of Home address option must not be done for the packet with home address option and BU or for IPSec AH or ESP packets This is little confusion. I think for the packet with Home Address option and IPSec AH or ESP CN should not verify the option against binding cache entry for the Home Address and Care of address Is it correct? ------------------- Jari Arkko responds to Arvind Sevalkar: We removed triangular routing per earlier discussion (#53). Later, (#216) we observed that ESP could hide the fact that a BU is being carried so its hard to make the determination at the stage when the ESP packet is being processed. The proposal at one time was to remember that the HAO check needs to be done until IPsec decryption was complete. However, in terms of processing it was seen easier to handle each step with the information that is available. So: the final text was that BUs, ESP, and AH are exempt from the rule on the receivers. Still, the spec disallows sending ESP or AH packets with a HAO unless (a) BCE exists or (b) its a BU. So from the sender side we have no problem. I guess the question is if just allowing this on the receiver side is problematic. Looking back at issue #53, I'm starting to wonder if we forgot some of the lessons when discussing the later issue. Basically, the question is what kind of IPsec SAs qualify as trusted enough to avoid reflection attacks. Even if our correct senders never send these things, the malicious nodes could exploit our requirement to accept these packets. On the other hand, I like the new text because it performs all checks locally without requiring a lot of co-operation between stack parts. Perhaps one way to resolve this would be to allow the ESP/AH check only for addresses for which the node in question is acting as a home agent. This guarantees the existence of SPD entries of suitable form. So, maybe instead of "These tests MUST NOT be done for packets that contain a Home Address option and a Binding Update, or for IPsec AH or ESP packets." we could say "These tests MUST NOT be done for packets that contain a Home Address option and a Binding Update. They also MUST NOT be done for IPsec AH or ESP packets with a Home Address option containing an address for which the receiving node could act as a home agent." ------------------- Brian Haley responds to Jari Arkko: This text is in Section 9.3.1, which is the CN packet processing section, so I wouldn't think the HA comment would even apply. And won't this now stop IPsec from working between a MN and CN, even though the draft doesn't specifically allow it? I might have mis-understood this... ------------------- Jari Arkko responds to Brian Haley: > This text is in Section 9.3.1, which is the CN packet processing > section, so I wouldn't think the HA comment would even apply. Hmmm... you may be right. But since ancient times, it seems that a lot of the CN functionality has been assumed to be a part of the HA functionality as well. I don't think we explicitly say this anywhere in the draft though. Maybe 10.3.1 should explicitly say how the home address option is to be verified. > And won't this now stop IPsec from working between a MN and > CN, even though the draft doesn't specifically allow it? Not as far as I can understand. The rule is about when to check for existence of the BCE, not about when to allow IPsec. All this means is that you don't suddenly start to allow HAO just because someone turned on IPsec. But IPsec when you have route optimization on, or IPsec when you are using bidirectional routing works just fine. ------------------- Jari Arkko writes: Assuming Brian approves the above response from me, the text changes would be as follows: Section 9.3.1: "... These tests MUST NOT be done for packets that contain a Home Address option and a Binding Update. " Section 10.3.1: "A Home Address destination option MUST be present in the message. It MUST be validated as described in Section 9.3.1 with the following additional rule. The Binding Cache entry existence test MUST NOT be done for IPsec packets when the Home Address option contains an address for which the receiving node could act as a home agent." -------------------