[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: questions on Anti Replay Check

To: "Lokesh" <lokeshnb@intotoinc.com>
Subject: Re: questions on Anti Replay Check
From: Jean-Jacques Puig <jean-jacques.puig@int-evry.fr>
Date: Fri, 22 Feb 2002 15:11:25 +0100 (MET)
Cc: ipsec@lists.tislabs.com
In-Reply-To: <002101c1bb99$1d28fb60$ae0510ac@roc.com>
Organization: Département Logiciels - Réseaux
References: <002b01c1bb67$e3b80c80$ae0510ac@roc.com><200202220900.KAA10074@hugo.int-evry.fr><002101c1bb99$1d28fb60$ae0510ac@roc.com>
Sender: owner-ipsec@lists.tislabs.com

"Lokesh" <lokeshnb@intotoinc.com> wrote:

> Thanks ,
> please see questions inlined.
> -Lokesh
> ----- Original Message -----
> From: Jean-Jacques Puig <jean-jacques.puig@int-evry.fr>
> To: Lokesh <lokeshnb@intotoinc.com>
> Cc: <ipsec@lists.tislabs.com>
> Sent: Friday, February 22, 2002 2:30 PM
> Subject: Re: questions on Anti Replay Check
> 
> 
> > Hi !
> >
> > Lokesh wrote:
> >
> > > My understanding of replay attack is a hacker can get hold of a
> legitimate packet
> > > in the traffic and transmit it to recevier after a while, this can cause
> confusion or
> > > have some undesirable consequences at the receiving end. right?
> >
> > Right. Depending on the protocol, one can also cause troubles replaying
> the packet to another receveir, or even to the original sender.
> >
> 
> Troubles to original sender? how? ones like sender getting two ACKs for one
> packet sent?

Are you talking about TCP's ACK ? Replaying would be difficult on connection oriented protocols (with real ACKs), like TCP, since the connection state evolves and the sequence number changes.
Out of connection oriented protocols, the "acks" may contain data, or even authenticated data, and the original sender may act on the knowledge of these data.

But, it works also out of the "ack" context, with multirecipients:
Imagine a network game running on a lan using udp with multicast or broadcast.
In this game, characters are A, B, C... and move in a plane.
A sends an authenticated message to group/broadcast: "A is at (X,Y)". Messages have no anti-replay window;
M (Martin ;-) keeps this message.
A is about to kill M at (X2,Y2); Martin replays the message "A is at (X,Y)", and A appears at X,Y because computer will believe A sent the message. At (X,Y), B (M's fellow) was waiting for him with the RPG. Note that every computer will believe the replayed message, and may be A's computer also.

> > > Usually Antireplay check is not done for IPsec SA's of manual key
> management.
> > > why?
> >
> > Usually, manual keying sets directly the secrets of the SA. The
> anti-replay window will cycle after many exchanges, and SA's adminitrator
> may not bother about manually rekeying again and again. Thus, LEGAL packets,
> with the same caracteristics (SPI...) and sequence numbers of ones of the
> previous cycle will be sent. For a manual-keyed SA to last for many cycles,
> antireplay check must be disabled, or cycling packets are likely to be
> dropped.
> >
> > >Like any other secure traffic, traffic carried such SA too can be hacked
> by
> > > replay attack right?
> >
> > Yes.
> > May be an easy way to solve this situation would be to manually set a key
> seed for the SA, and the key material would be automatically derived from
> that key on both sides in order to refresh SA's secrets when anti-replay
> window is about to cycle. But there are hazards of loss of key
> synchronization beetween hosts.
> >
> > > ESP RFC 2406 says:
> > >
> > >  The anti- replay service may be selected only if data origin
> authentication is
> > >    selected, and its election is solely at the discretion of the
> receiver.
> > >
> > >  Why only if data origin authentication is selcted? esp trafiic without
> authentication
> > >   can't come under replay attack?[ assuming AH is not used ]
> >
> > If there is no data origin authentication, one may build or alter a packet
> with a correct sequence number which will bypass the anti-replay service.
> This service is useless in such a case.
> >
> > Building a new packet is eased by the lack of authentication.
> > Alter a packet is eased by the improper use of integrity without
> authentication.
> >
> > Thus authentication is necessary for anti-replay service.
> 
> So manual keying as well as using ESP without authentication are
>  prone to replay attack.
> and there are no safe and easy mechanisms to protect them. Am I right?

IMHO, yes; but I am not an IPsec expert. In correct order:
/Anti-replay is of no use without authentication (the attacker will alter the sequence number to get through the window)
|_Even with authentication, manual keying is vulnerable to replay attack.
(Manual keying will be safe only if the replay window does not cycle.)

I hope someone here will correct this if I am wrong.

> > --
> > Jean-Jacques Puig
> >
> > "There is a Chinese proverb for all situations"
> > -- Chinese proverb --

--
Jean-Jacques Puig

"Don't care about Chinese proverbs"
	-- Irish proverb --

References:
- questions on Anti Replay Check
  - From: "Lokesh" <lokeshnb@intotoinc.com>
- Re: questions on Anti Replay Check
  - From: Jean-Jacques Puig <jean-jacques.puig@int-evry.fr>
- Re: questions on Anti Replay Check
  - From: "Lokesh" <lokeshnb@intotoinc.com>

Prev by Date: Re: questions on Anti Replay Check
Next by Date: info on new nat-t
Prev by thread: Re: questions on Anti Replay Check
Next by thread: RE: NAT Traversal
Index(es):
- Date
- Thread