[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: mutiple phase 1 tunnel and proxy ID issues
Kai,
Thanks for pointing out the security holes here. This is exactly
what I thought to be the problem using FQDN or DN in phase 2
negotiation. We can use FQDN or DN to negotiate, but in order
to start processing packet we need to add SPD entries which require
ID to IP address translation. Unless secure DNS lookup is used,
using incoming packets or insecure DNS lookup may pose
a security threat. In addition when a mobile user or dial-in user's
IP address is dynamically assigned, DNS lookup may not be feasible.
cliff
owner-ipsec@ex.tis.com on 05/27/98 04:47:07 AM
Please respond to kai@imib.med.tu-dresden.de
To: bkavsan@ire-ma.com
cc: ipsec@tis.com
Subject: Re: mutiple phase 1 tunnel and proxy ID issues
Hello, Bronislav.
> Mobile User's IP address is contained in all packets coming out of the mobile
> host (Source Address). Why do we need explicitly supply it in Phase 2 ID? What
> if his IP Address used in Phase 2 ID doesn't match the Source Address of his
> packets for some reason? If we bother to check this match, why don't we just
> use the Source IP Address to do the mapping and get away with using IP Address
> as a Phase 2 ID?
>
> In other words ID->IP translation could be done by mapping Phase 1 User ID
> (USER_FQDN, FQDN, DN) to Source IP Address of any packets arriving from this
> host.
I suppose, there could be a (theoretical) threat using an
unauthenticated IDui in Phase II (which is the case when I take the
IP address from the packet header or, as proposed too, when
(insecure) DNS lookup is used to determine it from DN / FQDN ), but I
can't proove it, yet.
May be a real cryptographer could help...
Kai
# Kai Martius #
# Dpt. of Medical CS and Biometrics / Dresden University of Technology #
# PGP Fingerprint: to be compared after download of my key #
# Key and more info (especially IP-security related) see my Homepage #
# http://www.imib.med.tu-dresden.de/imib/personal/kai.html #