Yaron Sheffer writes: > I'm not sure in what way this is worse than other potential attacks at this > stage, such as sending back an unprotected notification saying that the > offered group is unacceptable.
If attacker sends notification back saying the offered group is unacceptable, it will also indicate new group (which must be part of initiators offer) in the notification payload, and then initiator tries again with that. If that new group is acceptable by the server too, then they create IKE_SA with that group, and as it was acceptable with both it is ok. It might not be the strongest group they supported, but the group is one of the acceptable groups for both ends. For other unauthenticated error emssages the initiator should ignore them, and keep trying until the exchange times out. > This case is different though if the attacker redirects into a legitimate > gateway, because things look normal, traffic gets through, but an innocent > gateway may get overwhelmed if all other "equivalent" gateways are > redirected to it. Yes. > It may be simpler to echo the nonce Ni back to the initiator as part of the > Redirect payload. This would introduce no new state. That would also be good solution, as the nonce is already defined to be random and large enough. -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
