[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipsec error protocol

To: sommerfeld@East.Sun.COM
Subject: Re: ipsec error protocol
From: Frédéric Detienne <fd@cisco.com>
Date: Wed, 17 Jan 2001 22:26:19 +0100
CC: "Scott G. Kelly" <skelly@redcreek.com>, sankar ramamoorthi <sankar@nexsi.com>, ipsec@lists.tislabs.com
Organization: Cisco
References: <200101172019.f0HKJB5106736@thunk.east.sun.com>
Reply-To: fd@cisco.com
Sender: owner-ipsec@lists.tislabs.com

Hi Bill,

I remember your e-mail. Actually, I think it is nice solution but I have a few remarks:

a) not everyone knows how many times that host rebooted so far. So the latest cert of birth should be included in every phase 1 negotiation. Otherwise, it is as untrustworthy as an  ICMP or authenticated ISAKMP notifications. I mean: an cert of birth with a boot sequence number only makes sense if you can measure the monotonic increase of the sequence.

b) if an attacker finds a way to reboot a host generating certs of birth, this can force the signing host (either the host itself (self signed cert)) or the CA to sign an enormous amount of data, therefor weakening its private key (clear text attack). I do not know how efficient that would be but I would welcome the advice of a cryptographer.

Besides this, I stick to your idea.

	fred.

Bill Sommerfeld wrote:
> 
> To repeat a previous suggestion I made to this list last year:
> 
>    If we have the system sign a "birth certificate" when it reboots
>    (including a reboot time or boot sequence number), we could include
>    that with a "bad spi" ICMP error and in the negotiation of the IKE SA.
> 
>    This pushes the burden of reestablishing state to the end which
>    already thinks it has shared state and has traffic it wants to send.
> 
>    The system which is receiving packets to unknown SPI's merely has to
>    respond with a simple message which involves no real-time cryptography
>    (it should, of course, be rate limited).
> 
>    The system receiving the error message can discard it if it doesn't
>    correspond to existing state or if it's "old news" (i.e., you get
>    replay protection); if it's not old news, you can rate-limit how often
>    you attempt to verify the signature.
> 
> I think that, in practice, a boot sequence number will suffice and
> require minimal state.  Also, the "birth certificate" could be
> included in an "unknown phase 1" IKE error, to allow for faster
> recovery from loss of phase 1 state..
> 
>                                         - Bill

Follow-Ups:

Re: ipsec error protocol

From: Bill Sommerfeld <sommerfeld@East.Sun.COM>

References:

Re: ipsec error protocol

From: Bill Sommerfeld <sommerfeld@East.Sun.COM>

Prev by Date: Re: ipsec error protocol
Next by Date: Re: ipsec error protocol
Prev by thread: Re: ipsec error protocol
Next by thread: Re: ipsec error protocol
Index(es):
- Main
- Thread