[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Nat Traversal concern in IKEv2
I've wound up with some extra time on my hands lately and thought I'd
contribute some more.
So when sending NAT_DETECTION_SOURCE_IP or NAT_DETECTION_DESTINATION_IP
these payloads contain a SHA1 hash of the IP address and port.
First of all, there is no specification as to what key to use for the
SHA1. And this is before the DH has completed. So I see no reasonable
choice for how to key this algorithm.
But more worrisome would be that a dictionary attack on all possible IP
addresses with 500 and 4500 for ports would reveal the key with fairly
light effort. So I perceive a requirement that the key used for this
SHA1 in the NAT_DETECTION_* payloads MUST NOT be related in any way to
the keys or key generating material used for privacy, integrity and
authentication later. This requirement seems onerous.
So perhaps we could move the NAT_DETECTION_SOURCE_IP and
NAT_DETECTION_DESTINATION_IP payloads to somewhere in the protected
portion of the IKE exchanges and just put the IP/port in the packet
directly (not a SHA1 hash).
What do y'all think?
(formerly with Sonciwall and before that formerly with Redcreek)