REDIRECT notification by the responder upon receiving IKE_SA_INIT might be exploited by intelligent injection of REDIRECT notifications. In site-to-site VPN case, it is not difficult for attackers to know IP addresses of gateways. UDP source port and destination ports are known. If attacker guesses the Initiator SPI, it is possible to DoS the VPN Initiator. This problem compounds if Initiator caches the information from REDIRECT notification. This attack is similar to DNS Poisoning attack which became famous in 2008.
If the initiator SPI is random data, then guessing would be nearly impossible and we don't need to worry about it. I was told that Initiator SPI was not mandated to be random in IKEv2 specifications (Though this problem may not be there in IKEv1 as Cookies are expected to be random - but we are not discussing IKEv1 here in this context). If that was the case indeed, then I think that we need to have some mechanism to thwart these kinds of attacks. One possible solution would be to send RANDOM data as part of "REDIRECTION_SUPPORTED" and expect this RANDOM to be seen in "REDIRECT" notification. Regards Srini _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
