[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments about draft-ietf-ipsec-ike-01.txt

To: "Valery Smyslov" <svan@trustworks.com>
Subject: Re: Comments about draft-ietf-ipsec-ike-01.txt
From: Tero Kivinen <kivinen@ssh.fi>
Date: Wed, 16 Jun 1999 16:05:14 +0300 (EET DST)
Cc: ipsec@lists.tislabs.com
In-Reply-To: <199906161228.QAA13123@relay1.trustworks.com>
Organization: SSH Communications Security Oy
References: <199906160721.LAA01404@relay1.trustworks.com><199906161153.OAA02241@torni.ssh.fi><199906161228.QAA13123@relay1.trustworks.com>
Sender: owner-ipsec@lists.tislabs.com

Valery Smyslov writes:
> Yes, but in this case we have the same situation as with ordinary 
> notification, but with more computation resources involved. This 
> makes me think that, at least, in this particular situation 
> (NO-PROPOSAL-CHOSEN) such notification seems to be more harmful then 
> useful - it forces responder to perform public key operation in 
> response to unauthenticated peer (even without cookies been 
> exchanged) plus it may reveal responder's identity. And at such cost 
> we have only problematic initiators ability to verify signature. Is 
> it really worth?

In some cases yes. In some cases no. It depends quite a lot about the
policy. For example in most VPN cases the security gateway do NOT
trust any plain text notifications, just to make denial of service
attacks harder.

For attacker it is very easy to send NO-PROPOSAL-CHOSEN every time you
see first packet of the main mode. It is harder to delete that packet,
but to just see that, you need one sniffer between those two vpn
gateways. Also the NO-PROPOSAL-CHOSEN packet can be sent from
different location, thus making it almost impossible to find the
sniffer.

The policy for signed notifications can be something like send only
one signed notification every 10 seconds, otherwise use
unauthenticated notifications. If the other end does trust the
unauthenticated notification, then it will retransmit its packet and
if we haven't sent out any signed notifications for last 10 seconds,
then we reply with signed notification.

Of course there is no point of sending signed notifications to peer
that is known to support only pre-shared keys. Also if you do not want
to send you CERT payload because it would reveal your identity, then
you must either create new ISAKMP SA and use that to send
notifications (very hard if you are just trying to send
NO-PROPOSAL-CHOSEN notification back) or you must send the
notification without any protection.

I am not suggesting we remove the old unauthenticated notifications, I
just say that there is many cases where I do not want to trust
unauthenticated notifications.
-- 
kivinen@iki.fi                               Work : +358-9-4354 3218
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

References:

Re: Comments about draft-ietf-ipsec-ike-01.txt

From: "Valery Smyslov" <svan@trustworks.com>

Re: Comments about draft-ietf-ipsec-ike-01.txt

From: Tero Kivinen <kivinen@ssh.fi>

Re: Comments about draft-ietf-ipsec-ike-01.txt

From: "Valery Smyslov" <svan@trustworks.com>

Prev by Date: Re: Comments about draft-ietf-ipsec-ike-01.txt
Next by Date: Re: Comments about draft-ietf-ipsec-ike-01.txt
Prev by thread: Re: Comments about draft-ietf-ipsec-ike-01.txt
Next by thread: Re: Comments about draft-ietf-ipsec-ike-01.txt
Index(es):
- Main
- Thread