> - 13.1 Threats to the Local Link Not Covered by SEND (comment) > > To protect against such attacks, > link layer security MUST be used. An example of such for 802 type > networks is port-based access control [34]. > > => can you explain how 802.1X or any link-layer security can help here? > I claim that you have no way in the layer 2 or 3 themselves to protect > the layer 2 - layer 3 address binding! The only thing that SEND gives > is the attacker must be a node one trusts. Hmm.. with CGA it appears to give more. But I'll leave this question for Pekka to answer. ------- James Kempf: Issue 24 was raised by one of the reviewers: >>>> - 13.1 Threats to the Local Link Not Covered by SEND (comment) >>>> >>>> To protect against such attacks, >>>> link layer security MUST be used. An example of such for 802 type >>>> networks is port-based access control [34]. > >> >> => can you explain how 802.1X or any link-layer security can help here? >> I claim that you have no way in the layer 2 or 3 themselves to protect >> the layer 2 - layer 3 address binding! The only thing that SEND gives >> is the attacker must be a node one trusts. Specifically, the attack that is mentioned in the Security Considerations section is: >> On an insecure link layer that >> allows nodes to spoof the link layer address of other nodes, an >> attacker could disrupt IP service by sending out a Neighbor >> Advertisement having the source address on the link layer frame of a >> victim, a valid CGA with valid AH signature corresponding to itself, >> and a Target Link-layer Address extension corresponding to the >> victim. The attacker could then proceed to cause a traffic stream to >> bombard the victim in a DoS attack. The 802.1x standard [0] provides a mechanism by which a host can be authenticated to a particular point of attachment to a LAN (called a "port" in the standard). If the MAC on frames sent by a host does not correspond to the MAC of the host originally authenticated to this port, then the point of attachment drops the frames. Authorization to use the port is determined by the MAC address of the host that originally authenticated to the port. The way 802.1x protects against this attack is that, if a host authenticated to a particular port attempts to spoof the MAC address of another host, the port will drop the frames. Naturally, this requires that all ports by which hosts can attach to the LAN use 802.1x authentication. In addition, this won't work for shared media such as multiple hosts authenticated through the same 802.11 AP (which acts as a single port for all hosts), but it will work on 802.3 switched LANs. 802.1x does not provide protection for the layer 2 frame - layer 3 packet address binding in traffic (that is, real time filtering to check this binding), and neither does SEND. 802.1x provides authentication and filtering of MAC address to port, SEND provides protection for the layer 2 - layer 3 binding *information* in the ND packet, via the CGA address (authorization to use the address via the public key) and the signature on the packet (authentication of contents as from authorized IP address possessor). IEEE is additionally starting some work on secure link layer (see: http://www.ieee802.org/linksec/ for more information) that might result in modifications to the 802 link security architecture. These may possibly eliminate any residual threats. ------- Jari Arkko: I agree with everything you have said above. But was there any proposed document change due to this? ------- James Kempf: I think the relevent text in this email could be included in the Security Considerations section. I interpert the reviewers' comments to mean the current text is not enough to clarify the point. ------- James Kempf: Suggested resolution for Issue 24 is to include the following text as the second paragraph in the Security Considerations section: Specifically, the 802.1x standard [ref] provides a mechanism by which a host can be authenticated to a particular point of attachment to a LAN (called a "port" in the standard). If the MAC on frames sent by a host does not correspond to the MAC of the host originally authenticated to this port, then the point of attachment drops the frames. Authorization to use the port is determined by the MAC address of the host that originally authenticated to the port. The way 802.1x protects against this attack is that, if a host authenticated to a particular port attempts to spoof the MAC address of another host, the port will drop the frames. Naturally, this requires that all ports by which hosts can attach to the LAN use 802.1x authentication, and that all hosts physically attach through a port, as is the case with 802.3 switched LAN. For shared media such as multiple hosts authenticated through the same 802.11 AP (which acts as a single port for all hosts) other measures are necessary, since an attacker on the wireless link can spoof the MAC address of a victim on the same wireless link. 802.1x does not provide protection for the layer 2 frame - layer 3 packet address binding in traffic (that is, real time filtering to check this binding), and neither does SEND. 802.1x provides authentication and filtering of MAC address to port, SEND provides protection for the layer 2 - layer 3 binding information in the Neighbor Discovery packet, via the CGA address (authorization to use the address via the public key) and the signature on the packet (authentication of contents as from authorized IP address possessor).