Dolev-Yao
Passive attacks
- Attacker only reads packets (“sniffing”)
- Extremely easy on wireless
- Relatively easy on shared media such as Ethernet
- Can only really be excluded by quantum cryptography
Active attacks
- Attacker also injects new packets into the network
- Source address can be spoofed
- Egress/ingress filtering can make this harder
Blind attacks
can only write, not read
Replay attacks
inject copy of previous good packet (“launch rocket now”)
Combinations
Off-path
typically is limited to blind attacks
relative easy to protect against
On-path
attacker can easily eavesdrop, spoof, suppress, inject
Man-in-the-middle-Angriff
Protection
Link to original
hard to protect against