[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Question about Version Numbers

To: ipsec@lists.tislabs.com
Subject: Question about Version Numbers
From: vamsi <vamsi@intotoinc.com>
Date: Thu, 08 Apr 2004 20:20:50 -0700
Sender: owner-ipsec@lists.tislabs.com

Hi  Friends,
In IKEv2 of section 2.5 Version Numbers and Forward Compatibility   ,the 
text says
  ".....If Alice is capable of speaking versions n,
    n+1, and n+2, and Bob is capable of speaking versions n and n+1, then
    they will negotiate speaking n+1, where Alice will set the flag
    indicating ability to speak a higher version. If they mistakenly
    (perhaps through an active attacker sending error messages) negotiate
    to version n, then both will notice that the other side can support a
    higher version number, and they MUST break the connection and
    reconnect using version n+1."

Let us assume the following scenario
Alice has sent the message with version n+2 to Bob and in between the attacker
   'yyy' has tricked to make Alice to use version 'n'. So the next message 
from Alice with version 'n'
and enabling the Flag (which indicates that Alice support higher version) 
is sent to the BOB and he(BOB) will sent the
second message with version 'n' and flag enabled(which indicates that BOB 
supports higher version) . Then draft says "they MUST break the connection 
and reconnect using version n+1." So Alice again start with version 'n+1' 
and the attacker again trick him to use version
'n' or  the attacker  even trick the Alice by sending with  n+1 version and 
flag(that indicates the higher version) enabled  where  Bob   doesn't even 
support higher version than n+1 and there by attacker succeeds interrupting 
the  IKE exchanges . My doubt is that are we not going in a loop??

My feeling is that the text should be as  follows
".....If Alice is capable of speaking versions n,
    n+1, and n+2, and Bob is capable of speaking versions n and n+1, then
    they will negotiate speaking n+1, where Alice will set the flag
    indicating ability to speak a higher version. If they mistakenly
    (perhaps through an active attacker sending error messages) negotiate
    to version n, then both will notice that the other side can support a
    higher version number, and they SHOULD continue and SHOULD audit the event"


Thanks
Vamsi
CTO Office
Intoto Inc.
www.intoto.com

Follow-Ups:
- Re: Question about Version Numbers
  - From: Paul Koning <pkoning@equallogic.com>

Prev by Date: Re: IKEv2 and IANA registry
Next by Date: Re: Question about Version Numbers
Previous by thread: ETSI Interoperability Event
Next by thread: Re: Question about Version Numbers
Index(es):
- Date
- Thread