RFC4081 - Security Threats for Next Steps in Signaling (NSIS)

   We could imagine using attributes of a flow identifier that is not
   related to source and destination addresses.  For example, we could
   think of a flow identifier for which only the 21-bit Flow ID is used
   (without source and destination IP address).  Identity spoofing and
   injecting traffic is much easier since a packet only needs to be
   marked and an adversary can use a nearly arbitrary endpoint
   identifier to achieve the desired result.  Obviously, though, the
   endpoint identifiers are not irrelevant, because the messages have to
   hit some nodes in the network where NSIS signaling messages installed
   state (in the above example, they would have to hit the same
   firewall).

   Data traffic marking based on DiffServ is such an example.  Whenever
   an ingress router uses only marked incoming data traffic for
   admission control procedures, various attacks are possible.  These
   problems have been known in the DiffServ community for a long time
   and have been documented in various DiffServ-related documents.  The
   IPsec protection of DiffServ Code Points is described in Section 6.2
   of [RFC2745].  Related security issues (for example denial of service
   attacks) are described in Section 6.1 of the same document.

4.5.  Unprotected Authorization Information

   Authorization is an important criterion for providing resources such

上一页 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] [21] [22] [23] [24] [25] [26] [27] [28] [29] [30] [31] [32] [33] [34] [35] [36] [37] [38] 下一页

复制本页网址和标题，发送给你QQ/Msn的好友一起分享

上一篇:RFC4085 - Embedding Globally-Routable Internet Addresses Considered Harmful

下一篇:RFC4103 - RTP Payload for Text Conversation