I started to think whether there are other possible attacks against QCD and found one which might be possible if implementations do not take care of it. The IKE SPIs are allocated during the IKE_SA_INIT. The IKEv2 SA is really created during the IKE_AUTH. This means there is a possibility that some implementation might consider IKE SA spis still invalid before the IKE_AUTH finishes (for example another member of the tight cluster might be updated with the IKE SA information only after the IKE SA is ready). If attacker sees IKE_SA_INIT and grabs IKE SAs from there and then sends IKE packet to that another member which has not yet updated with this partial IKE SA that might trigger QCD_TOKEN even when it should not.
This is not really big issue as in normal implementations already take care of this by following the rule which says do not allow any other exchanges before IKE_SA_INIT/IKE_AUTH finishes but this might happen on certain cluster setups. -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
