Re: FW: ipsec error protocol

[Bill Sommerfeld <sommerfeld@East.Sun.COM>]

    To cross this point the attacker has to be really be sophisticated.
    Not only he has to sniff and spoof the packet, but also send the
    'invalid spi' message in a short time window.

I'm aware of active attack code which does stuff like this already for
tcp connections.

In addition, a (deliberately or not) misconfigured host along the path
which implements your scheme would trivially implement this part of
the attack -- just convince it that one of its host addresses is the
target's address and arrange for the packet stream to hit its
ip_input() or equivalent.

   5. If a valid packet is received on the inbound ipsec-sa or
      a valid 'receipt' type of ipsec-control packet is received for the
      inbound sa, reset the counter and clear the flag. The 'invalid spi'
      notification was bogus.

This assumes that:
 a) there is bidirectional traffic flow, and
 b) the implementation maintains a linkage between the "inbound" and
"outbound" SA's

Addressing each of these in turn:

If you have redundant tunnels and are running dynamic routing over
them (and before you dismiss this as unlikely, I know people who have
talked seriously about deploying just this), then due the vagaries of
dynamic routing, the traffic flow over any given tunnel may be
unidirectional..

Existing implementations I'm familiar with don't do (b), and adding
this mapping is non-trivial because multiple equivalent SA's may exist
between a pair of communicating nodes.

					- Bill

---

Follow-Ups:

• RE: FW: ipsec error protocol
• From: "sankar ramamoorthi" <sankar@nexsi.com>

References:

• FW: ipsec error protocol
• From: "sankar ramamoorthi" <sankar@nexsi.com>

---

• Prev by Date: RE: Increased sequence number in ESP/AH
• Next by Date: Re: Increased sequence number in ESP/AH
• Prev by thread: FW: ipsec error protocol
• Next by thread: RE: FW: ipsec error protocol
• Index(es):
  • Main
  • Thread