[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: an inbound SPD-check question



> 
> 
> Say I am processing an inbound packet that has IPSEC protection.  I have
> located the 
> right SA and I have decoded the original packet.
> 
> I am then required to check the SPD to see that the require security was
> applied for the 
> packet I now have.  If the SPD check comes back with the answer "BYPASS"
> (i.e. no
> security required), do I dump the packet, or forward it?
> 
> A bit of silly case (probably some mis-config somewhere), but it could
> happen.  If security
> has been successfully applied, it seems a bit naff to bin the packet because
> the inbound SPD
> check says the IPSEC protection was not required.
> 
> Cheers, Steve. 
> 

The problem you state could alternately be labelled "denial-of-service 
attack" on the receiver. The receiver is forced to decrypt packets
(a compute intensive task), only  to decide afterwards between 
(a) dropping or (b) sending ICMP reject. If accepted, the consequence 
would be even worse because traffic would be encrypted in one direction 
and clear in the opposite direction. A sure target from an atacker. 

IPsec is highly prone to denial-of-service attack when policy exchange 
is not synchronous between peers. This is why it is important that 
policies be exchanged properly  at the time of IKE negotiation.


cheers,
suresh


References: