[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Adding revised identities to IKEv2
At 15:27 11/18/2002 +0100, Francis Dupont wrote:
> In your previous mail you wrote:
>
> And replying to Francis - I'm too lazy to check myself, but wasn't cookie
> (which is
> IP address-based) used then as a part of signed contents in IKEv1
> exchange?
>
>=> the cookie is built by the other peer so the only effect is the
>addresses must remain the same between all packets of a phase,
>a check which is currently done even between phases.
>Can you explain how cookies can forbid an attacker to change en route
>or as the peer to put a rogue address in all messages?
If the cookie is a part of the signed contents, then changing IP address
of a packet during IKE exchange will invalidate the signature and will
be detected.
Of course "invisible" denial of service is always possible... I don't know
whether anything can be done to defend against it.
Later on, IP addresses used are those stored in SA, so if a cryptographically
"valid"packet comes from a "wrong" IP address, it's local policy matter what
to do with it...
A peer can put any IP address it wishes (of course), but why would it
do it - it's already free to advertise any address it chooses.