[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A pothole in ISAKMP/Oakley



> From owner-ipsec@portal.ex.tis.com Tue Apr 15 15:55:29 1997
> Date: Tue, 15 Apr 1997 15:41:03 -0400
> From: ho@earth.hpc.org (Hilarie Orman)
> Message-Id: <199704151941.PAA06920@earth.hpc.org>
> To: pau@watson.ibm.com
> Cc: ipsec@tis.com, canetti@watson.ibm.com, Dan.McDonald@Eng.sun.com
> In-Reply-To: Yourmessage <9704151927.AA22368@secpwr.watson.ibm.com>
> Subject: Re: A pothole in ISAKMP/Oakley
> Sender: owner-ipsec@ex.tis.com
> Precedence: bulk
> Content-Length: 584
> Status: RO
> 
> > You are right. But since Quick Mode Exchange is proteted
> > (encrypted and authenticated) by the phase 1 ISAKMP SA,
> > clogging attack should not be a big problem.
> 
> Maybe we are talking about different attacks.  The requirement for AH
> and ESP SPI generation was there before there was key management.  We
> should ask why.

Maybe we have been. But let's focus on the phase 2 OAKLEY Quick mode
in this msg.
>

> I'd guess that the worry has been that an attacker
> could predict the SPI sequence and insert bogus messages with valid
> SPI's into the traffic stream, forcing the recipient to go through at
> least the trouble of checking the hash if not also decrypting.

Correct me if I am wrong. But my understanding of the OAKLEY quick mode
as defined in section 5.4 of <draft-ietf-ipsec-isakmp-oakley-03.txt>
is like this :

  1. The cookies in the ISAKMP msg header are the I-cookie and R-cookie
     of the phase-1 SA which is protecting the quick mode exchange.
     
  2. the SPI's for the would-be ESP and AH SA's are placed in their
     corresponding PROPOSAL payloads which are inside an SA payload.
     
  3. A keyed-hash (HMAC) defined by the phase-1 SA is computed over
     the Quick mode payloads and the msg-ID in the ISAKMP msg header.
     
  4. Everything, including the keyed-hash digest but excluding the ISAKMP
     msg header, is ENCRYPTED through the phase-1 SA.
     
Point 4 is worth noticing because the receiver of a Quick mode msg has
to decrypt the msg then authenticate it (by veryfing the keyed hash)
before doing anything else. I think the anit-clogging value of the
SPI has vanished in this case. Since a relatively expensive decryption
has always to be done first and an active attack is defeated by the
keyed-hash (and of course also by the fresh nonces in the msgs).


Regards, Pau-Chen
    
> 
> Hilarie
>