[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: combining SA proposals in IKE [was: Some questions]
Lewis McCarthy wrote regarding same KEYMAT for both direction:
> If AH or tunnel-mode ESP with authentication is used, then I don't see how
> deriving the keys for each direction from the same KEYMAT would allow a
> successful cut-and-paste replay attack. In AH the ICV is computed over the src
:
> Transport-mode ESP-with-auth is only designed to protect upper protocol layer
> info, not IP layer info (uh, with the possible exception of some IPv6
> destination options). So it's not trying to provide IP-layer data origin
> authentication.
What I had in my mind was this: if transport-mode ESP-with-auth is
used, and if KEYMAT are same for both direction (and I can detect this
easily since SPI are in clear text), I can extract the whole ESP data
(header and payload), add new IP header, and inject into the opposite
flow of stream. It will pass the ICV check since KEYMAT are same, and
replay-protection sequence number is accepted since it passed ICV
check (although this may depend on implementation or security policy
detail...). Since the replay-protection sequence number was updated,
the next legitimate packet to this SA will be rejected, resulting
degrade or denial of service.
Of course, IKE draft says:
Different SPIs for each SA (one chosen by the initiator, the
other by the responder) guarantee a different key for each
direction.
So I guess this is a moot point. (Although I feel it should be
explicitly stated as a MUST.)
FUKUMOTO Atsushi
fukumoto@isl.rdc.toshiba.co.jp
References: