Addepalli Srini-B22160 wrote:
REDIRECT notification by the responder upon receiving IKE_SA_INIT might
be exploited by intelligent injection of REDIRECT notifications. In
site-to-site VPN case, it is not difficult for attackers to know IP
addresses of gateways. UDP source port and destination ports are known.
If attacker guesses the Initiator SPI, it is possible to DoS the VPN
Initiator. This problem compounds if Initiator caches the information
from REDIRECT notification. This attack is similar to DNS Poisoning
attack which became famous in 2008.
If the initiator SPI is random data, then guessing would be nearly
impossible and we don't need to worry about it. I was told that
Initiator SPI was not mandated to be random in IKEv2 specifications
(Though this problem may not be there in IKEv1 as Cookies are expected
to be random - but we are not discussing IKEv1 here in this context). If
that was the case indeed, then I think that we need to have some
mechanism to thwart these kinds of attacks.
One possible solution would be to send RANDOM data as part of
"REDIRECTION_SUPPORTED" and expect this RANDOM to be seen in "REDIRECT"
notification.
Sounds ok to me. Anyone else have comments/opinions on this before I add
this to the document?
We can have a random 32-bit identifier included in the
REDIRECTION_SUPPORTED payload and have the gateway echo this in the
REDIRECT payload. Note that this would be applicable only to redirect
during the IKE_SA_INIT exchange.
Vijay
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
