[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Sensationalism? [was Re: FW: Man in the middle attack against RFC3456.]

To: ddukes@cisco.com
Subject: Re: Sensationalism? [was Re: FW: Man in the middle attack against RFC3456.]
From: "Scott G. Kelly" <scott@bstormnetworks.com>
Date: Wed, 05 Feb 2003 12:51:51 -0800
CC: ipsec@lists.tislabs.com
Organization: BlackStorm Networks
References: <JJEIIAMEIEEPEILEFFODMEKGEDAA.ddukes@cisco.com>
Sender: owner-ipsec@lists.tislabs.com

Forgive my skepticism, but this is nothing but a distraction. If you
have malicious insiders that will mount such attacks, you have serious
problems, and should not be depending on some weak dhcp auth scheme to
remedy this. Obvious solutions are to isolate the dhcp server, or to run
ipsec between the sgw and the dhcp server. Why are we wasting time on
this?

Enough said.

Scott

Darren Dukes wrote:
> 
> Support of RFC3118 was significant enough for you to put in RFC3456, so why
> is an illustration of the attack refuting that support called
> sensationalism?  See RFC3456 Section 2.1 under "Authentication".
> 
> I think you're trivializing this.  RFC3456 has been touted as providing all
> the modern and future capabilities of DHCP to IPsec clients.  This is one
> case of how it fails to do this, and all it took to find was a few other
> implementers taking a quick look at it yesterday.
> 
> If this attack has no technical merit then RFC3118 must not either (see
> section 1.1).  RFC3118 exists to stop this sort of attack, so there must
> have been a significant need for it otherwise why would the authors waste
> their time writing it and advancing it to RFC?
> 
> If you can get rid of the necessity of snooping yiaddr in RFC3456 you can
> fix this.
> 
> BTW modecfg with a DHCP-proxy will not suffer from this since the
> DHCP-client implemented on the SGW could be provided with a single DHCP key.
> 
> Darren
> 
> > -----Original Message-----
> > From: scott@nc600c-sk [mailto:scott@nc600c-sk]On Behalf Of Scott G.
> > Kelly
> > Sent: Wednesday, February 05, 2003 2:52 PM
> > To: ddukes@cisco.com
> > Cc: ipsec@lists.tislabs.com
> > Subject: Sensationalism? [was Re: FW: Man in the middle attack against
> > RFC3456.]
> >
> >
> > Come on, Darren - you must be joking. What you describe is not an attack
> > against RFC3456 - it's an attack against DHCP/BOOTP, and this is nothing
> > new. If you run DHCP on your network and you have malicious insiders,
> > they can do all sorts of things. The same applies for most other
> > commonly run lan protocols. And since you've already conceded that a
> > scalable modecfg implementation will be running dhcp on the backend,
> > what is the point of this post?
> >
> > Let's stick with arguments with technical merit.
> >
> > Scott
> >
> > Darren Dukes wrote:
> > >
> > > Amendment:
> > > Eve sends the DHCPACK to the DHCP-relay (not the IRAC) with a
> > manufactured
> > > DHCP Relay Agent Information Option or one copied from a previous DHCP
> > > message.
> > >
> > > > -----Original Message-----
> > > > From: Darren Dukes [mailto:ddukes@cisco.com]
> > > > Sent: Wednesday, February 05, 2003 12:10 PM
> > > > To: ipsec@lists.tislabs.com
> > > > Subject: Man in the middle attack against RFC3456.
> > > >
> > > >
> > > > There is a man in the middle attack on the DHCP-relay in RFC3456.
> > > > This attack is based on the thread defined in RFC3118
> > > > (DHCP-AUTH).  In this case Eve is inside the LAN and able to
> > > > source DHCPACK packets, if Eve sends a DHCPACK to a an IRAC via a
> > > > SGW implementing RFC3456 the DHCP-relay on the SGW will plumb a
> > > > new route for whatever address Eve puts in yiaddr.
> > > >
> > > >                |-Eve
> > > > IRAC ---- SGW -|
> > > >                |-DHCP Server
> > > >
> > > > excerpt from RFC3456:
> > > >    To learn the internal IP address of the client in order to route
> > > >    packets to it, the security gateway will typically snoop the yiaddr
> > > >    field within the DHCPACK and plumb a corresponding route as part of
> > > >    DHCP Relay processing.
> > > >
> > > > This attack is not resolved by the implementation of RFC3118
> > > > unless the following changes are made to the DHCP-relay.
> > > > 1 - It stored a copy of all secret keys contained on the
> > > > DHCP-server and used them to authenticate DHCPACKs or it stored a
> > > > copy of the master key and used that to generate the client keys
> > > > as described in RFC3118 Appendix A.
> > > > 2 - DHCP-relay implements the DHCP-server replay protection.
> > > >
> > > >
> > > > Darren
> > > >

References:
- RE: Sensationalism? [was Re: FW: Man in the middle attack against RFC3456.]
  - From: "Darren Dukes" <ddukes@cisco.com>

Prev by Date: Re: Modefg considered harmful
Next by Date: A basic question.
Prev by thread: RE: Sensationalism? [was Re: FW: Man in the middle attack against RFC3456.]
Next by thread: Re: Sensationalism? [was Re: FW: Man in the middle attack against RFC3456.]
Index(es):
- Date
- Thread