[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: addresses and IKEv2

To: "'Tero Kivinen'" <kivinen@ssh.fi>, " 'list'" <ipsec@lists.tislabs.com>
Subject: RE: addresses and IKEv2
From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>
Date: 4 Jun 2002 16:59:54 -0400
Importance: Normal
In-Reply-To: <15612.56881.690370.239486@ryijy.hel.fi.ssh.com>
Reply-To: andrew.krywaniuk@alcatel.com
Sender: owner-ipsec@lists.tislabs.com

> Note, that only first of those packets is valid, all others fail the
> replay check, and are discarded, thus the callback would be called
> only once for all those replayed packet.

Well, maybe, assuming you have anti-replay protection on and you have
implemented it in the manner suggested by the RFC (there are other
reasonable ways of doing it that are not RFC compliant).

But even so, when you receive a valid IPsec packet from a bogus IP, what are
you supposed to do? The RFC says that you must not update the receive window
until you have integrity-checked the packet. This appears to be a valid
packet with a spoofed IP. If it is really spoofed then we may receive a
duplicate packet with a valid IP at some point. So what is the best course
of action?

a) Discard the packet and update the receive window.
b) Process the packet as if it came from the original IP and update the
receive window.
c) Discard the packet and don't update the receive window.

I'm assuming that this is a transport mode packet, so the outer IP does
matter.

Andrew
-------------------------------------------
There are no rules, only regulations. Luckily,
history has shown that with time, hard work,
and lots of love, anyone can be a technocrat.

> -----Original Message-----
> From: Tero Kivinen [mailto:kivinen@ssh.fi]
> Sent: Tuesday, June 04, 2002 11:35 AM
> To: 'Eric Nielsen'; "Andrew Krywaniuk"; ipsec@lists.tislabs.com
> Subject: Re: addresses and IKEv2
>
>
> andrew.krywaniuk@alcatel.com ("Andrew Krywaniuk") writes:
> > Yes, this is an important case. Currently we perform this
> check during SA
> > establishment. Doing it via a user mode callback could be a
> much more
> > expensive proposition, especially if someone got their
> hands on a captured
> > packet and started replaying it from thousands of different IPs.
>
> Note, that only first of those packets is valid, all others fail the
> replay check, and are discarded, thus the callback would be called
> only once for all those replayed packet.
> --
> kivinen@ssh.fi
> SSH Communications Security                  http://www.ssh.fi/
> SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/
>

References:
- Re: addresses and IKEv2
  - From: Tero Kivinen <kivinen@ssh.fi>

Prev by Date: RE: Public Keys to initiate IPsec.
Next by Date: RE: Public Keys to initiate IPsec.
Prev by thread: Re: addresses and IKEv2
Next by thread: RE: Public Keys to initiate IPsec.
Index(es):
- Date
- Thread