[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPSec SA DELETE in "dangling" implementation

To: "'Slava Kavsan'" <bkavsan@ire-ma.com>
Subject: RE: IPSec SA DELETE in "dangling" implementation
From: "Walker, Jesse" <jesse.walker@intel.com>
Date: Mon, 6 Dec 1999 12:22:50 -0800
Cc: ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

The adversary may not need a gazillion years; they may have (much) better
information, and she may only need to brute-force a few remaining bits. If
IKE group 2 is used, for instance, only the upper 10 bits of the
Diffie-Hellman are known to be hard-core; if it is possible to easily
compute the rest of the bits from the public Diffie-Hellman exponents, then
only 1024/2 = 512 queries would be needed on average to break the key.

-- Jesse

-----Original Message-----
From: Slava Kavsan [mailto:bkavsan@ire-ma.com]
Sent: Monday, December 06, 1999 12:03 PM
To: Walker, Jesse
Cc: ipsec@lists.tislabs.com
Subject: Re: IPSec SA DELETE in "dangling" implementation


Very interesting point Jesse! In other words - someone could use encrypted
keep-alive messages for brute-force key discovery?
Well - this may take gazillion years to attack - hopefully IKE SA lifetimes
are
shorter than that :))

"Walker, Jesse" wrote:

> It is not evident that it is a good idea to used Acked-NOTIFY or any other
> Acked message for this function. If the traffic is protected by some key,
> and if he adversary somehow knows it is being used (e.g., because the
> traffic is remote access), then inserting an Ack into the protocol
> transforms the peer into an oracle to answer questions about the key--the
> adversary knows it has guessed the right key as soon as it can get one
> system to ack to its "keepalive".
>
> If this observation is correct, then what seems to be needed is for one
end
> to apprise its peer that it (the local system) may purge old SAs that
appear
> to have died, along with some notion of what it considers dead (e.g., it
> receives no traffic for 5 minutes). It then becomes the responsibility of
> the peer that wants its SAs to remain to send traffic to defeat the dead
SA
> harvesting. So any solution should propose mechanisms for both parts.
>
> -- Jesse
>
> -----Original Message-----
> From: Slava Kavsan [mailto:bkavsan@ire-ma.com]
> Sent: Friday, December 03, 1999 8:04 AM
> To: Scott G. Kelly
> Cc: Jan Vilhuber; Srinivasa Rao Addepalli; Dan Harkins; Markku Savela;
> ipsec@lists.tislabs.com
> Subject: Re: IPSec SA DELETE in "dangling" implementation
>
> "Scott G. Kelly" wrote:
>
> > Maybe dead peer detection should not rely upon the presence of an IKE
> > SA.
>
> I like this approach, but it needs to be further analysed:
>
> - are there any attacks possible when using unprotected NOTIFYes for
> keep-alive? E.g. is
> "false-alive" attack is really an attack?
> - what if protected keep-alives are used when possible (IKE SA is around)
> and non-protected
> when there is no IKE SA?
> - use of keep-alives in this fashion will prevent us from taking advantage
> of using Ack-ed
> NOTIFY for keep-alives, because Ack-ed NOTIFY is always protected (unless
> this requirement can
> be relaxed for keep-alives)
> - could resource-minded implementations when they need more memory
"shrink"
> their SAs (instead
> of deleting them) to a bare minimum to only support keep-alive protection?
> - could we use (somehow) IPSec-based keep-alives
> - etc.
> - etc.

--
Bronislav Kavsan
IRE Secure Solutions, Inc.
100 Conifer Hill Drive  Suite 513
Danvers, MA  01923
voice: 978-539-4816
http://www.ire.com

Prev by Date: Re: IPSec SA DELETE in "dangling" implementation
Next by Date: Re: Incorporation of AES into IPSec
Prev by thread: Re: IPSec SA DELETE in "dangling" implementation
Next by thread: Re: IPSec SA DELETE in "dangling" implementation
Index(es):
- Main
- Thread