[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments about draft-ietf-ipsec-ike-01.txt

To: "Valery Smyslov" <svan@trustworks.com>, Tero Kivinen <kivinen@ssh.fi>
Subject: Re: Comments about draft-ietf-ipsec-ike-01.txt
From: "Valery Smyslov" <svan@trustworks.com>
Date: Wed, 16 Jun 1999 16:28:24 +4
CC: ipsec@lists.tislabs.com
Comments: Authenticated sender is <svan@ss10>
In-reply-to: <199906161153.OAA02241@torni.ssh.fi>
Organization: TWS
References: <199906160721.LAA01404@relay1.trustworks.com>
Sender: owner-ipsec@lists.tislabs.com

On 16 Jun 99 at 14:53, Tero Kivinen wrote:

> Valery Smyslov writes:
> > On 16 Jun 99 at 1:06, Tero Kivinen wrote:
> > 
> > [...]
> > > I would really like to see two new kind of notifications here:
> > > 
> > > 	Initiator			Responder
> > >        -----------		       -----------
> > > 	HDR, SIG, [CERTs], Ni, N/D -->
> > > 
> > > Where SIG (MUST be first payload) is signature of the HASH of the rest
> > > of the payload. This would allow sending delete and error notification
> > > payloads to the responder even when we do not have ISAKMP SA up yet
> > > (for example sending error message of phase 1 (NO-PROPOSAL-CHOSEN)).
> > > 
> > > In this case the SIG should also define the HASH algorithm to use, so
> > > we should either use signature format that contains it or define it
> > > somewhere else. 
> > What about the situation when Responder doesn't support signatures
> > at all (i.e. performs only preshared key authentication) or supports 
> > different signature algorithm from that you've used to sign this 
> > message? In your example (sending NO-PROPOSAL-CHOSEN in phase 1) it 
> > will often be the case, making such notification almost useless. 
> > Also, such notification increases IKE vulnerability to DoS attack.
> 
> Then the responder ignores the SIG payload and it can still read the
> clear text notification or delete, and act accordinly. Its policy then
> dictates wheter it will trust the unauthenticated notification or
> delete or not. 

Yes, but in this case we have the same situation as with ordinary 
notification, but with more computation resources involved. This 
makes me think that, at least, in this particular situation 
(NO-PROPOSAL-CHOSEN) such notification seems to be more harmful then 
useful - it forces responder to perform public key operation in 
response to unauthenticated peer (even without cookies been 
exchanged) plus it may reveal responder's identity. And at such cost 
we have only problematic initiators ability to verify signature. Is 
it really worth?

Regards,
Valery.

Follow-Ups:

Re: Comments about draft-ietf-ipsec-ike-01.txt

From: Tero Kivinen <kivinen@ssh.fi>

References:

Re: Comments about draft-ietf-ipsec-ike-01.txt

From: "Valery Smyslov" <svan@trustworks.com>

Re: Comments about draft-ietf-ipsec-ike-01.txt

From: Tero Kivinen <kivinen@ssh.fi>

Prev by Date: Re: Comments about draft-ietf-ipsec-ike-01.txt
Next by Date: Re: Comments about draft-ietf-ipsec-ike-01.txt
Prev by thread: Re: Comments about draft-ietf-ipsec-ike-01.txt
Next by thread: Re: Comments about draft-ietf-ipsec-ike-01.txt
Index(es):
- Main
- Thread