[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: replay attacks

To: Craig Metz <cmetz@sundance.itd.nrl.navy.mil>
Subject: Re: replay attacks
From: smb@research.att.com
Date: Sun, 10 Sep 95 14:19:28 EDT
Cc: Steve Kent <kent@bbn.com>, ipsec@ans.net

	 In message <199509082327.AA24179@interlock.ans.net>, Steve Kent writes:
	 >It included a replay countermeasure facility.  It might be appropriate
	 >to revisit that feature and ask whether it has a place in either AH or
	 >ESP.

	I'm not entirely sure that it does, though it might need to. If
	a packet is authentic, it is authentic no matter how many times
	you get it so long as it isn't modified. Similarly, if you get
	an encrypted packet, as long as it decrypts properly, the
	encryption/decryption is sucessful.  I believe that it is
	intended that ULPs handle replays much as they would handle
	normal duplicate packets (usually, this will mean just
	discarding them).

I thought we settled this in the aftermath of Danvers -- replay protection
is vital for secrecy with host-pair keying, because an attacker can bind
to the port later on and replay the message.  This clearly works for UDP,
though TCP sequence numbers make life a bit more difficult.  Similarly,
a packet may be authentic, but it may be possible to fool a new instantiation
of the service.  (TCP's sequence number behavior is predicated on the
assumed maximum lifetime of a packet bouncing around the net.  Malicious
reinjection has totally different properties, which invalidate the original
assumption.)

I originally opposed the sequence numbering in swIPe and the like; these
new attacks have persuaded me that I was wrong.

Prev by Date: Re: replay attacks
Next by Date: Re: replay attacks
Prev by thread: Re: replay attacks
Next by thread: Re: replay attacks
Index(es):
- Main
- Thread