Hi, I'm not sure in what way this is worse than other potential attacks at this stage, such as sending back an unprotected notification saying that the offered group is unacceptable.
This case is different though if the attacker redirects into a legitimate
gateway, because things look normal, traffic gets through, but an innocent
gateway may get overwhelmed if all other "equivalent" gateways are
redirected to it.
It may be simpler to echo the nonce Ni back to the initiator as part of the
Redirect payload. This would introduce no new state.
Thanks,
Yaron
> -----Original Message-----
> From: [email protected] [mailto:[email protected]] On Behalf Of
> Vijay Devarapalli
> Sent: Wednesday, March 18, 2009 20:41
> To: Addepalli Srini-B22160
> Cc: IPsecme WG
> Subject: Re: [IPsec] DoS Attack Possibility?
>
> Addepalli Srini-B22160 wrote:
> > REDIRECT notification by the responder upon receiving IKE_SA_INIT might
> > be exploited by intelligent injection of REDIRECT notifications. In
> > site-to-site VPN case, it is not difficult for attackers to know IP
> > addresses of gateways. UDP source port and destination ports are known.
> > If attacker guesses the Initiator SPI, it is possible to DoS the VPN
> > Initiator. This problem compounds if Initiator caches the information
> > from REDIRECT notification. This attack is similar to DNS Poisoning
> > attack which became famous in 2008.
> >
> > If the initiator SPI is random data, then guessing would be nearly
> > impossible and we don't need to worry about it. I was told that
> > Initiator SPI was not mandated to be random in IKEv2 specifications
> > (Though this problem may not be there in IKEv1 as Cookies are expected
> > to be random - but we are not discussing IKEv1 here in this context). If
> > that was the case indeed, then I think that we need to have some
> > mechanism to thwart these kinds of attacks.
> >
> > One possible solution would be to send RANDOM data as part of
> > "REDIRECTION_SUPPORTED" and expect this RANDOM to be seen in "REDIRECT"
> > notification.
>
> Sounds ok to me. Anyone else have comments/opinions on this before I add
> this to the document?
>
> We can have a random 32-bit identifier included in the
> REDIRECTION_SUPPORTED payload and have the gateway echo this in the
> REDIRECT payload. Note that this would be applicable only to redirect
> during the IKE_SA_INIT exchange.
>
> Vijay
> _______________________________________________
> IPsec mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/ipsec
>
> Scanned by Check Point Total Security Gateway.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
