[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Nat Traversal concern in IKEv2




On Thursday, June 19, 2003, at 04:46 PM, Ricky Charlet wrote:

> Howdy,
>
> 	I've wound up with some extra time on my hands lately and thought I'd 
> contribute some more.
>
>
> So when sending NAT_DETECTION_SOURCE_IP or 
> NAT_DETECTION_DESTINATION_IP these payloads contain a SHA1 hash of the 
> IP address and port.
>
> First of all, there is no specification as to what key to use for the 
> SHA1. And this is before the DH has completed. So I see no reasonable 
> choice for how to key this algorithm.
>
> But more worrisome would be that a dictionary attack on all possible 
> IP addresses with 500 and 4500 for ports would reveal the key with 
> fairly light effort. So I perceive a requirement that the key used for 
> this SHA1 in the NAT_DETECTION_* payloads MUST NOT be related in any 
> way to the keys or key generating material used for privacy, integrity 
> and authentication later. This requirement seems onerous.
>

oops. Just a bit more thinking about the matter and I realized that 
knowing the 8 billion possible plain texts does not constitute a 
dictionary attack on the secret. And probably does not give much value 
to an attacker trying to recover the key.

But, still, what key to use? And why not put this under the protected 
IKE exchanges?


>
> So perhaps we could move the  NAT_DETECTION_SOURCE_IP and 
> NAT_DETECTION_DESTINATION_IP payloads to somewhere in the protected 
> portion of the IKE exchanges and just put the IP/port in the packet 
> directly (not a SHA1 hash).
>
> What do y'all think?
>
>
>
>
>
> ---
> Ricky Charlet
> (formerly with Sonciwall and before that formerly with Redcreek)
> rcharlet@alumni.calpoly.edu
> 510.324.3163
>
>
---
Ricky Charlet
rcharlet@alumni.calpoly.edu
510.324.3163