Re: draft-ietf-ipsec-ikev2-01.txt

[Tero Kivinen <kivinen@ssh.fi>]

andrew.krywaniuk@alcatel.com ("Andrew Krywaniuk") writes:
> How about: "Repeated re-keying using Phase 2 without PFS will increase the
> amount of data that will be exposed if the Diffie-Hellman key is ever
> compromised. Rekeying without PFS could also aid an attacker in
> cryptanalysing encrypted ESP data if a weakness in the PRF algorithm is ever
> discovered."

I like that text. 

>    - All previous proposals (IKEv1, IKEv2, JFK, and SIGMA) were
>    vulnerable to an active attacker answering Alice's message with bogus
>    information.  Alice cannot distinguish a legitimate message 2 from a
>    bogus message 2.  In this draft we explain how Alice can protect
>    herself from this attack, which is to be willing to continue
>    negotiation with every reply she receives. Only the legitimate Bob
>    will be able to send an acceptable message 4, so the multiple SA's-
>    in-progress will only last until the SA is set up.
> 
> Solving this sort of DoS attack in which the adversary is either (a) on the
> same LAN as the responder or (b) located along the data path should be a
> non-goal.

Why? There are cases where I would really like to protect against this
kind of DoS attacks too... Quite often the attacker cannot for example
remove packets (it is just listening), and doing for example arp
attacks are easily detectable by the other devices on the network so
they might just draw attention to the attacker.

Sending faked packet can be done from completely different host
(some hacked machine out there in Elboinia), and from different
machine every time. This way finding the attackers listening post is
much harder, and he can continue the attack much longer. 

> These sorts of adversaries can generally do all sorts of nasty
> things like (a) arping for you or (b) simply removing your packets from the
> wire.

Yes, but if he starts doing that he draws attention to his machine,
and someone will unplug the machine from the network quite soon...

> The danger here is that one SA request by Alice can result in 1000
> replies by Bob (and 1000 DHs that Alice has to compute).

True, but now it is the initiators choise how many of those he is
willing to try. If the connection is very, very important he can
simply continue until he succeeds. If he thinks it really doesn't
matter even if he cannot read the daily dilbert using ipsec he can
just forget the connection immediately.

Anyways if both ends are willing to consume enough resources to the
exchange then the exchange will succeed finally, no matter the passive
listener + active sender type attacker does.

Currently you only need one UDP packet for each IKE packet you see to
kill all negotiations between two hosts. Also if the attacker needs to
flood stuff instead of single packet it again draws more attention
towards the attacker (itrace etc). 

> The best response to this sort of attack is simply to give up on the
> negotiation and retry after some comfort period.

In same case yes, but lets say you want to go remote server to shut it
down because you know that someone is just about to break into it
using some newly discovered method (needing some time to actually do
the attack) and the attacker really really wants to stop you closing
the security hole before he can get in...

In that case it really doesn't matter how many diffie-hellman
calculations my laptops (and propably all of my friends borrowod
laptops too, to distribute my diffie-hellamns) do before they can get
it.
-- 
kivinen@ssh.fi
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/