[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Sequence Number field for manually configured SAs

To: steveklein@vnet.ibm.com (Steve Klein)
Subject: Re: Sequence Number field for manually configured SAs
From: Dan.McDonald@eng.sun.com (Dan McDonald)
Date: Mon, 28 Jul 1997 10:44:19 -0700 (PDT)
Cc: ipsec@tis.com
In-Reply-To: <199707281316.JAA29407@relay.hq.tis.com> from "Steve Klein" at Jul 28, 97 09:11:49 am
Sender: owner-ipsec@ex.tis.com

<SNIP!>
> Based on these passages, one could assume that for manual SAs you should
> send the Sequence Number field in the ESP but do not increment any
> counters (to avoid the rollover of the field).

You could.  Note the SHOULD NOT.  The reason it says SHOULD NOT is a "cover
the *ss" move.  It's possible to run out of sequence space before rekeying.
In manual keying situations, rekeying is.... hard.

OTOH there's nothing stopping you from doing this anyway.

>       When configured manually, the first value sent SHOULD be a random
>       number.  The limited anti-replay security of the sequence of data-
>       grams depends upon the unpredictability of the values.

Again, it's SHOULD, not MUST.  I believe (and Bill, correct me here if I'm
wrong) that he thinks it should be set to random initially so that an
adversary cannot replay a packet with a subsequent sequence number.  But
without authentication, is the counter useful?

This brings up an interesting point.  Without authentication (either
encryption-only ESP + AH or an ESP with both authentication and encryption),
sequence numbers are less than useless.  Bellovin's paper from '96 points
this out, and it's why (without thinking to explicitly require AH) ESP with
both authentication and encryption came about.

And with authentication, does the value of the replay counter matter?  Quite
honestly, I don't why a random starting point would help when you have some
sort of authentication (AH or an ESP with two algorithms) working for you.
Sure, the adversary knows what the number is, but w/o the authentication key,
he/she cannot inject bogus packets.  And if your implementation follows the
spec correctly, you only accept the packet's sequence number as taken if it
successfully passes authentication and (for ESP) encryption.  If an adversary
can make it pass those, you've a lot bigger problem than replay attacks.  :-(

> Which interpretation is correct?

Yes!  :)

> I assume the same interpretation would also apply to the handling of the
> Sequence Number field in the manually configured AH SAs.

It could, but see my above argument.  Why bother?  The sequence number is
part of the auth calculation.  If your adversary can make that pass, he/she
has the key, and you're in Big Trouble (TM).

--
Daniel L. McDonald  -  Solaris Internet Engineering  ||  MY OPINIONS ARE NOT
Mail: danmcd@eng.sun.com, danmcd@kebe.com <*>        ||  NOT NECESSARILY SUN'S!
Phone: (415) 786-6815            |"rising falling at force ten
WWW: http://www.kebe.com/~danmcd | we twist the world and ride the wind" - Rush

References:

Sequence Number field for manually configured SAs

From: "Steve Klein (254-5623)" <steveklein@vnet.ibm.com>

Prev by Date: Re: Derived versus Explicit IV
Next by Date: Re: Sequence Number field for manually configured SAs
Prev by thread: Re: Sequence Number field for manually configured SAs
Next by thread: Re: Sequence Number field for manually configured SAs
Index(es):
- Main
- Thread