[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Replay problem

To: <ipsec@lists.tislabs.com>
Subject: Replay problem
From: "=?gb2312?B?1tzV/g==?=" <ZhouZh@huawei.com.cn>
Date: Tue, 13 Jun 2000 14:45:16 +0800
Sender: owner-ipsec@lists.tislabs.com

In IPSEC, replay protection is privided by a Sequence Number Counter and a anti-replay window. But it cause some problem in current implementations according to RFC 2401 Appendix C. When attcker seizes a IPSec flow, the IP address, SPI are known, and then he can send the forge IP packets to the desination, which Sequence Number may be very lage, just simple as 2^32.

In the case of using ESP without authentication, after received the forge packet, the anti-replay window of the SA will wrong slide to the last, causing deny receive most packets, otherwise rebuild the SA. This is a serious problem.

In other case, the desination receive the forge packet, need authenticate. When the attacter sends large forge packets, the destination may be denial of sevice becasue of it's performance is exhausted. Since the forge packet is discarded after it be authenticated.

How to slove this problem?

If we receive a new IPSEC packet which sequence number is much larger than the last packet's, such as 128 or other specified number, we will consider it's a forge packet and discard it, otherwise slide the window simply. And it can aviod the DoS attack in large degree.

Follow-Ups:

Re: Replay problem

From: Paul Koning <pkoning@xedia.com>

Prev by Date: Re: Death to AH? (was: Reasons for AH & ESP )
Next by Date: Re: Replay problem
Prev by thread: Re: RESPONDER-LIFETIME Notify question
Next by thread: Re: Replay problem
Index(es):
- Main
- Thread