From: ebiederm@xmission.com (Eric W. Biederman)
To: Ttttabcd <ttttabcd@protonmail.com>
Cc: Netdev <netdev@vger.kernel.org>
Subject: Re: Does the kernel IPv6 module plan to implement Secure Neighbor Discovery?
Date: Wed, 16 Jan 2019 21:35:16 -0600 [thread overview]
Message-ID: <878szk0xe3.fsf@xmission.com> (raw)
In-Reply-To: <CDlkrtj-oyA7FP7gtylQ8YrFJrfCwfBclB56T4e3I1tXOp-3JI3rYUMDZ6IkhlNYOL0qEhRCRiLSN417-kVhY59hiJttunS6_fMtERQttVs=@protonmail.com> (ttttabcd@protonmail.com's message of "Mon, 14 Jan 2019 16:21:10 +0000")
Ttttabcd <ttttabcd@protonmail.com> writes:
> IPv6 is rapidly deploying globally. NDP replaces the role of ARP in IPv6 and provides mapping from IP address to MAC address.
>
> However, the NDP protocol is as insecure as the ARP protocol, and can be easily spoofed, and then the attacker can conduct man-in-the-middle attacks.
>
> The solution to the weak security problem is to use Secure Neighbor Discovery, Abbreviation, SeND.
>
> SeND uses Cryptographically Generated Addresses and public keys to authenticate information provided by NDP messages.
>
> I think SeND is a very important security facility under IPv6. I found some implementations in user space, but not in the kernel.
>
> I searched the mail records in lkml.org and found that no one was discussing SeND.
>
> So I am confused, is the kernel planning to implement SeND? Or should SeND be implemented in user space?
Usually it requires someone motivated to step up and do the work. You
sound motivated. The easiest thing would be for you to step up and
write the implementation.
Having looked at this once long ago my memory is that SeND only protects
against an attacker on a local lan. That is not an attack scenario I am
particularly worried about. If my memory is correct there are
additional issues with how you perform the initial key distribution.
All of which is why I am personally not interested.
But if you are interested and would like to make this happen more power
to you.
Eric
next prev parent reply other threads:[~2019-01-17 3:35 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-14 16:21 Does the kernel IPv6 module plan to implement Secure Neighbor Discovery? Ttttabcd
2019-01-17 3:35 ` Eric W. Biederman [this message]
2019-01-24 4:53 ` Ttttabcd
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=878szk0xe3.fsf@xmission.com \
--to=ebiederm@xmission.com \
--cc=netdev@vger.kernel.org \
--cc=ttttabcd@protonmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).