Yoav Nir writes:
> > Anything extra (notifications etc) you send inside the main mode or
> > agressive mode packets are not authenticated, so sending responder
> > life time notifications is not good idea (and the other end will
> > simply ignore it).
>
> This is true for MM2, but not for MM6. MM6 is encrypted and
> authenticated, so the peer can and should (if they implemented the
> draft) use it.
MM6 is encrypted, but not authenticated, except for certain parts
inside the packet. The MM5/MM6 do have SIG (certificates)/HASH
(pre-shared keys) payload, but that only covers certain parts:
HASH_I = prf(SKEYID, g^xi | g^xr | CKY-I | CKY-R | SAi_b | IDii_b )
HASH_R = prf(SKEYID, g^xr | g^xi | CKY-R | CKY-I | SAi_b | IDir_b )
So if original MM5/MM6 has notification payload and attacker can guess
where it is (not very hard), he can modify it (even when it is
encrypted).
This is one of the things we did fix in the IKEv2, and thats why IKEv2
do MAC all of the payloads, and the authentication hash do include the
whole IKE_SA_INIT packet so it also gets authenticated.
--
[email protected]
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
