[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
question about IKE Quick Mode
I have been working on a formal analysis of IKE. As a result of the
analysis I've found some rather odd behavior when client identifiers
are not specified which conceivably could be used in a denial of service
attack. In that
case, according to draft-ietf-ipsec-isakmp-oakley-08.txt,
the identities are implicitly assumed to be
to be the IP addresses of the ISAKMP peers. However, a key in that
case would be associated with *two* IP addresses, and it's not clear
from the specification of the messages in IKE which one would
be the originator of the message. This appears to allow
for a situation in which an initiator B can be convinced that
it has successfully completed a Quick Mode exchange with a responder
A, while in fact an intruder has fooled it into completing
a Quick Mode Exchange with itself.
This is done by having B initiate a Quick Mode exchange with A.
The intruder intercepts this message, and replays it back to B
as A initiating a quick mode exchange with B. B as responder produces
a message which the intruder sends to B as initiator as a message from
the responder A, and so on, until at the end B is convinced that it
shares a key with A when actually it is sharing a key with itself.
What I'd like to know is: is there anything that I'm missing here?
In particular,
is there any information that could be sent in this exchange that I'm missing
because it takes place at a lower level than the IKE specification?
Or is this a situation that could actually occur, in at least some, if not
all, implementations?
Cathy Meadows
Naval Research Laboratory
Follow-Ups: