[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Question about Version Numbers

To: vamsi@intotoinc.com
Subject: Re: Question about Version Numbers
From: Paul Koning <pkoning@equallogic.com>
Date: Fri, 9 Apr 2004 09:39:26 -0400
Cc: ipsec@lists.tislabs.com
References: <5.2.0.9.0.20040408175747.029c9e10@10.1.5.10>
Sender: owner-ipsec@lists.tislabs.com

>>>>> "vamsi" == vamsi  <vamsi@intotoinc.com> writes:

 vamsi> Hi Friends, In IKEv2 of section 2.5 Version Numbers and
 vamsi> Forward Compatibility ,the text says ".....If Alice is capable
 vamsi> of speaking versions n, n+1, and n+2, and Bob is capable of
 vamsi> speaking versions n and n+1, then they will negotiate speaking
 vamsi> n+1, where Alice will set the flag indicating ability to speak
 vamsi> a higher version. If they mistakenly (perhaps through an
 vamsi> active attacker sending error messages) negotiate to version
 vamsi> n, then both will notice that the other side can support a
 vamsi> higher version number, and they MUST break the connection and
 vamsi> reconnect using version n+1."

 vamsi> Let us assume the following scenario Alice has sent the
 vamsi> message with version n+2 to Bob and in between the attacker
 vamsi> 'yyy' has tricked to make Alice to use version 'n'. So the
 vamsi> next message from Alice with version 'n' and enabling the Flag
 vamsi> (which indicates that Alice support higher version) is sent to
 vamsi> the BOB and he(BOB) will sent the second message with version
 vamsi> 'n' and flag enabled(which indicates that BOB supports higher
 vamsi> version) . Then draft says "they MUST break the connection and
 vamsi> reconnect using version n+1." So Alice again start with
 vamsi> version 'n+1' and the attacker again trick him to use version
 vamsi> 'n' or the attacker even trick the Alice by sending with n+1
 vamsi> version and flag(that indicates the higher version) enabled
 vamsi> where Bob doesn't even support higher version than n+1 and
 vamsi> there by attacker succeeds interrupting the IKE exchanges . My
 vamsi> doubt is that are we not going in a loop??

If the attacker wants to persist in the attack, sure, it becomes a
denial of service attack.  So what?  An active attacker can easily
deny service in many easier ways.

The important point here is that the attack is ONLY a denial of
service attack, not a protocol downgrade attack.  That's what the spec
requires, and it should stay that way.

	  paul

References:
- Question about Version Numbers
  - From: vamsi <vamsi@intotoinc.com>

Prev by Date: Re: Question about Version Numbers
Next by Date: RE: CONSENSUS TEST: Fragmentation handling
Previous by thread: Question about Version Numbers
Next by thread: Re: Question about Version Numbers
Index(es):
- Date
- Thread