[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: combining SA proposals in IKE [was: Some questions]

To: IP Security List <ipsec@tis.com>
Subject: Re: combining SA proposals in IKE [was: Some questions]
From: Lewis McCarthy <lmccarth@cs.umass.edu>
Date: Tue, 19 May 1998 01:06:56 -0400
CC: FUKUMOTO Atsushi <fukumoto@isl.rdc.toshiba.co.jp>
Organization: UMass-Amherst Theoretical Computer Science Group, <http://www.cs.umass.edu/~thtml/>
References: <199805190127.KAA29485@isl.rdc.toshiba.co.jp>
Sender: owner-ipsec@ex.tis.com

FUKUMOTO Atsushi writes:
> Both nonces are included in the hash input in same order, regardless
> which direction the security association is.  This results in the same
> KEYMAT for both direction iff the responder chooses the same SPI.
[...]
> I think it may be able to be used in some form of replay attack, since
> I can cut a data from one direction of packet and inject it into
> different direction.  Replay protection doesn't work well since it's
> different SA for different direction.

If AH or tunnel-mode ESP with authentication is used, then I don't see how 
deriving the keys for each direction from the same KEYMAT would allow a 
successful cut-and-paste replay attack. In AH the ICV is computed over the src
IP addr and dest IP addr, among other headers and the payload of upper layer 
protocol data. In tunnel-mode ESP-with-auth the ICV is computed over the
ciphertext of the full original IP packet, including src addr and dest addr.
The ordered pair of (src IP addr, dest IP addr) will differ in each direction
unless the initiator and responder live at the same IP address.

Transport-mode ESP-with-auth is only designed to protect upper protocol layer
info, not IP layer info (uh, with the possible exception of some IPv6 
destination options). So it's not trying to provide IP-layer data origin
authentication.

Just using ESP without an auth algorithm is asking for this type of trouble,
as noted in the ESP document.
-- 
Lewis    http://www.cs.umass.edu/~lmccarth/
"This information is so readily available to anybody who wants to commit an act
 of terrorism that you have to assume the security community's real interest is
 to raise attentiveness to their role in preventing terrorism in the hope that
 they can increase their budget"
              --Bruce Bueno de Mesquita, Senior Fellow, Hoover Institution,
                (as quoted by CNN) on objections to the EPA listing chemical 
                storage site locations on the Web

Follow-Ups:

Re: combining SA proposals in IKE [was: Some questions]

From: FUKUMOTO Atsushi <fukumoto@isl.rdc.toshiba.co.jp>

Re: combining SA proposals in IKE [was: Some questions]

From: Stephen Kent <kent@bbn.com>

References:

Re: combining SA proposals in IKE [was: Some questions]

From: FUKUMOTO Atsushi <fukumoto@isl.rdc.toshiba.co.jp>

Prev by Date: Re: combining SA proposals in IKE [was: Some questions]
Next by Date: RFC status for IPSEC?
Next by thread: RE: [Karen Seo: Thomas Narten -- clarification, etc.]
Index(es):
- Main
- Thread