Re: Replay problem

["Steven M. Bellovin" <smb@research.att.com>]

In message <003601bfd502$ef251920$8a010b0a@zhouzheng.huawei.com.cn>, "=?gb2312?
B?1tzV/g==?=" writes:

>
>    In IPSEC, replay protection is privided by a Sequence Number Counter =
>and a anti-replay window. But it cause some problem in current =
>implementations according to RFC 2401 Appendix C. When attcker seizes a =
>IPSec flow, the IP address, SPI are known, and then he can send the =
>forge IP packets to the desination, which Sequence Number may be very =
>lage, just simple as 2^32.=20
>    In the case of using ESP without authentication, after received the =
>forge packet, the anti-replay window of the SA will wrong slide to the =
>last, causing deny receive most packets, otherwise rebuild the SA. This =
>is a serious problem.
>    In other case, the desination receive the forge packet, need =
>authenticate. When the attacter sends large forge packets, the =
>destination may be denial of sevice becasue of it's performance is =
>exhausted. Since the forge packet is discarded after it be =
>authenticated.
>   How to slove this problem?=20
>   If we receive a new IPSEC packet which sequence number is much larger =
>than the last packet's, such as 128 or other specified number, we will =
>consider it's a forge packet and discard it, otherwise slide the window =
>simply. And it can aviod the DoS attack in large degree.

The proper answer is to use authentication.  That prevents even more 
serious attacks; see http://www.research.att.com/~smb/papers/badesp.ps 
(or .pdf).

		--Steve Bellovin

---

• Prev by Date: Replay problem
• Next by Date: AH padding after MD5/SHA1 hash value
• Prev by thread: Re: Replay problem
• Next by thread: RE: Replay problem
• Index(es):
  • Main
  • Thread