[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Man in the middle attack against RFC3456.

To: <ipsec@lists.tislabs.com>
Subject: Man in the middle attack against RFC3456.
From: "Darren Dukes" <ddukes@cisco.com>
Date: Wed, 5 Feb 2003 12:09:30 -0500
Importance: Normal
Reply-To: <ddukes@cisco.com>
Sender: owner-ipsec@lists.tislabs.com

There is a man in the middle attack on the DHCP-relay in RFC3456. This
attack is based on the thread defined in RFC3118 (DHCP-AUTH).  In this case
Eve is inside the LAN and able to source DHCPACK packets, if Eve sends a
DHCPACK to a an IRAC via a SGW implementing RFC3456 the DHCP-relay on the
SGW will plumb a new route for whatever address Eve puts in yiaddr.

               |-Eve
IRAC ---- SGW -|
               |-DHCP Server

excerpt from RFC3456:
   To learn the internal IP address of the client in order to route
   packets to it, the security gateway will typically snoop the yiaddr
   field within the DHCPACK and plumb a corresponding route as part of
   DHCP Relay processing.

This attack is not resolved by the implementation of RFC3118 unless the
following changes are made to the DHCP-relay.
1 - It stored a copy of all secret keys contained on the DHCP-server and
used them to authenticate DHCPACKs or it stored a copy of the master key and
used that to generate the client keys as described in RFC3118 Appendix A.
2 - DHCP-relay implements the DHCP-server replay protection.


Darren

Prev by Date: Re: Modefg considered harmful
Next by Date: FW: Man in the middle attack against RFC3456.
Prev by thread: RE: Moving forward with IKE V2: A proposal for final edits to ikev2-04
Next by thread: FW: Man in the middle attack against RFC3456.
Index(es):
- Date
- Thread