[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Replay problem

To: ZhouZh@huawei.com.cn
Subject: Re: Replay problem
From: Paul Koning <pkoning@xedia.com>
Date: Tue, 13 Jun 2000 11:21:19 -0400 (EDT)
Cc: ipsec@lists.tislabs.com
References: <003601bfd502$ef251920$8a010b0a@zhouzheng.huawei.com.cn>
Sender: owner-ipsec@lists.tislabs.com

>     In IPSEC, replay protection is privided by a Sequence Number Counter 
> and a anti-replay window. But it cause some problem in current 
> implementations according to RFC 2401 Appendix C. When attcker seizes a 
> IPSec flow, the IP address, SPI are known, and then he can send the 
> forge IP packets to the desination, which Sequence Number may be very 
> lage, just simple as 2^32.
> 
>     In the case of using ESP without authentication, after received the 
> forge packet, the anti-replay window of the SA will wrong slide to the 
> last, causing deny receive most packets, otherwise rebuild the SA. This 
> is a serious problem.

If you do not use authentication, then anti-replay checking is not
done.  As you have shown, it would not serve any purpose to do it.

Unfortunately, ESP without authentication remains an allowed feature
of ESP.  It is wise to avoid it, though.

      paul

References:

Replay problem

From: "=?gb2312?B?1tzV/g==?=" <ZhouZh@huawei.com.cn>

Prev by Date: Re: Replay problem
Next by Date: Re: Replay problem
Prev by thread: Replay problem
Next by thread: Re: Replay problem
Index(es):
- Main
- Thread