[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A pothole in ISAKMP/Oakley

To: ho@earth.hpc.org (Hilarie Orman)
Subject: Re: A pothole in ISAKMP/Oakley
From: Bill Sommerfeld <sommerfeld@apollo.hp.com>
Date: Tue, 15 Apr 1997 16:13:49 -0400
Cc: pau@watson.ibm.com, ipsec@tis.com, canetti@watson.ibm.com, Dan.McDonald@Eng.sun.com
In-Reply-To: ho's message of Tue, 15 Apr 1997 15:41:03 -0400. <199704151941.PAA06920@earth.hpc.org>
Sender: owner-ipsec@ex.tis.com

> Maybe we are talking about different attacks.  The requirement for AH
> and ESP SPI generation was there before there was key management.  We
> should ask why.  I'd guess that the worry has been that an attacker
> could predict the SPI sequence and insert bogus messages with valid
> SPI's into the traffic stream, forcing the recipient to go through at
> least the trouble of checking the hash if not also decrypting.

I'll re-state that to clarify my view of the benefit:

Random SPI's serve a similar function as cookies: they make it harder
to do an off-path active attack against someone not in the
communication path between the peers.

Given that certain off-path active attacks (e.g., SYN floods) are
known to be in the bag of tricks in the cracker community, I think
resistance to such threats should be considered fairly important.

An ESP/AH implementation which does sequential SPI generation is
asking for trouble.  It's probably OK to kludge it while you're coming
up to speed, but it should take all of a dozen lines of code in an
implementation to do random SPI generation.

(BTW, I hope the implementations doing sequential assignment are doing
collision checks against manually-configured SPI's while they're at
it..).

						- Bill

References:

Re: A pothole in ISAKMP/Oakley

From: ho@earth.hpc.org (Hilarie Orman)

Prev by Date: Another pothole in ISAKMP/Oakley
Next by Date: Re: ESP with stream ciphers
Prev by thread: Re: A pothole in ISAKMP/Oakley
Next by thread: Re: A pothole in ISAKMP/Oakley
Index(es):
- Main
- Thread