[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A pothole in ISAKMP/Oakley

To: Norman Shulman <norm@border.com>
Subject: Re: A pothole in ISAKMP/Oakley
From: Stephen Kent <kent@bbn.com>
Date: Tue, 15 Apr 1997 18:27:39 -0400
Cc: ipsec@tis.com
In-Reply-To: <97Apr15.164137edt.11659@janus.border.com>
References: <199704151941.PAA06920@earth.hpc.org>
Sender: owner-ipsec@ex.tis.com

Norm,

	If one selects SPIs to be small integers so that they represent
indices into local tables, then they may be very predictable and thus an
attacker without passive wiretapping ability may be able to formulate
credible-loooking SPIs for existing SAs.  Remember, the SPI plus
destination address completely defines the SA, so there is no source
address check that would be pereformed at this stage of packet processing.

Steve

References:

Re: A pothole in ISAKMP/Oakley

From: ho@earth.hpc.org (Hilarie Orman)

Re: A pothole in ISAKMP/Oakley

From: Norman Shulman <norm@border.com>

Prev by Date: Re[2]: ESP with stream ciphers
Next by Date: Re[2]: ESP with stream ciphers
Prev by thread: Re: A pothole in ISAKMP/Oakley
Next by thread: Re: A pothole in ISAKMP/Oakley
Index(es):
- Main
- Thread