[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPsec mailing list

To: rja@bodhi.cs.nrl.navy.mil
Subject: Re: IPsec mailing list
From: Hilarie Orman <ho@cs.arizona.edu>
Date: Mon, 9 Oct 1995 11:15:36 -0700
Cc: ipsec@ans.net
In-Reply-To: Yourmessage <199510091614.AA08616@interlock.ans.net>

I don't see any reason that Change_Message's (6.1) cannot be replayed,
and this could could be used as a denial of service mechanism.  The
Change_Message's have mutated significantly since Hugo's original
comments, but I think his observation that there is no replay
prevention is valid.

Imagine A sending two change messages for the same SPI to B.  Each
message changes the validity-choice method to a different algorithm.
E replays the first message, and now A and B are out of sync.
Actually, if one of the messages is lost, it would seem that similar
trouble would result.

Follow-Ups:

Re: IPsec mailing list

From: Bill Sommerfeld <sommerfeld@apollo.hp.com>

References:

IPsec mailing list

From: Ran Atkinson <rja@bodhi.cs.nrl.navy.mil>

Prev by Date: IPsec mailing list
Next by Date: Re: major areas needing work
Prev by thread: IPsec mailing list
Next by thread: Re: IPsec mailing list
Index(es):
- Main
- Thread