Re: Bellovin's and Ashar's attacks

[Mark H Linehan/Watson/IBM Research <linehan@watson.ibm.com>]

> From: smb@research.att.com
> Matt Blaze suggests that a sliding sequence number, a la the original
> swIPe protocol, is the best solution to the replay attacks.

I agree that this seems like a better fix for Ashar's replay attacks than
depending upon re-keying.

If we follow Steve's suggestion that ESP require AH then we could put the
sequence number in either the ESP or the authentication header.  Putting it in
the AH would have the advantage of also protecting AH against a replay attack.
This makes some sense to me since Ashar's replay attack is really a takeover of
the identify of the destination of some traffic.

I think that we should specify that the sequence number for any given SPI
starts randomly rather than at some fixed number like zero.  In the case where
an AH flows in the clear, it denies someone who taps part of the traffic any
idea how many packets there have been since the SPI was created.  In the case
where an AH is encrypted within an ESP, it gives a little more randomness to
the traffic pattern.  Not a substitute for a formal IV, but a cheap way to get
some more unpredictability into the clear text.

---

• Prev by Date: Re: Bellovin's and Ashar's attacks
• Next by Date: Who is developing?
• Prev by thread: Re: Bellovin's and Ashar's attacks
• Next by thread: Re: Bellovin's and Ashar's attacks
• Index(es):
  • Main
  • Thread