On Thu, 20 Sep 2012, Yaron Sheffer wrote:
Can you please clarify why the HMAC mitigates this attack? As far as I understand the attack, everything takes place inside the protected tunnel, so the HMAC is always correct.
I thought, but please correct me if I'm wrong here, that with TLS you can send multiple one-byte-off packets to see the response of the TLS server. The error or lucky guess will be shown by a different response on the server. With IPsec, I thought once you sent the one packet, the HMAC with counter would prevent you from sending more packets for testing until the client starts another request packet for the attacker to modify. Though thinking about it again, I guess if the crypto fails on the packet, it is not received so you can send more packets here as well. Paul _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
