[Ipsec] comment on "empty message" in IKEv2 draft

[Tero Kivinen <kivinen@iki.fi>]

Yonghui Cheng writes:
> The IKEv2 draft/RFC should emphasis that when send "empty" messages
> in IKEv2, the actual messages should include an empty "encrypted
> payload".

True. 

> "Empty" messages is used for DPD (dead peer detection) and acknowledge
> purposes. Without encrypted payload, the message is not authenticated,
> which should considered as security problem.

Note, that empty messages can be used for dead peer detection, but
they cannot be used to proof liveness. I.e the malicious peer can
create responses to empty DPD messages before hand and give them
forward to somebody using them to claim the other end that he is not
dead even when he might have already been gone.

This makes for example DPD done after the NAT-T not so secure as it
could be. I.e. malicious initiator can use NAT-T to do 3rd party
bombing against 3rd party, and continue doing that even when the
server tries to do return routability checks.

There would be easy fix for that, simply server includes the N(COOKIE)
notify payload inside encrypted payload in the DPD, and then we simply
add text to the draft-ietf-ipsec-ike2 draft saying inside the "COOKIE
16390" section saying:

	If this notification mesasge is received in any request, it
	MUST be included in the reply packet, with the exactly same
	data.

This would allow the servers to decide which kind of return
routability checks (if any) they will do with NAT-T. 
-- 
kivinen@safenet-inc.com

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec