Re: Racing QM Initiator's

["Scott G. Kelly" <skelly@redcreek.com>]

Valery Smyslov wrote:

<trimmed...> 
> Another curious point - how IKE handles self-connect. Let us assume
> we have IPsec host A and an attacker injects IKE packet (src_ip = A,
> dst_ip = A, CKY-I = xxx, CKY-R = 0) into the network. A receives this
> packet and (naively) begins to act as responder creating state and
> replying with packet (src_ip = A, dst_ip = A, CKY-I = xxx, CKY-R =
> yyy). Then it receives this packet back, binds it to that very state
> and, most likely, rejects it (possibly with some error notification)
> because it is malformed from his (responder's) point of view. After
> some time state will die due to timeout. Is this scenario correct? I
> understand that this situation causes no particular harm and it is
> very easy to avoid by simple sanity check (compare IP addresses), but
> still, IKE seem to have no special treatment of it, have it?

Assuming policy is correctly configured (and implemented), this packet
should never reach the IKE implementation, should it?

Scott

---

Follow-Ups:

• Re: Racing QM Initiator's
• From: "Valery Smyslov" <svan@trustworks.com>

References:

• RE: Racing QM Initiator's
• From: Sankar Ramamoorthi <Sankar@vpnet.com>
• Re: Racing QM Initiator's
• From: "Valery Smyslov" <svan@trustworks.com>

---

• Prev by Date: Re: PPP over IPSec (without L2TP)?
• Next by Date: Re[2]: PPP over IPSec (without L2TP)?
• Prev by thread: Re: Racing QM Initiator's
• Next by thread: Re: Racing QM Initiator's
• Index(es):
  • Main
  • Thread