Hi, Yaron On Oct 5, 2014, at 10:56 PM, Yaron Sheffer <[email protected]> wrote:
> > - I'm not sure what is special about "[the case] when an Authentication > request fails to decrypt." Seems to me this is a verified DoS attack from a > specific IP. I see I wasn’t clear about this, because both you and Graham missed what I meant. Suppose we have a responder where half-open SAs time out after 10 seconds. This responder receives an Initial Request, and responds with an Initial Response. It stores its own private value and the peer’s public value in the half-open SA database, keyed by IKE SPIs. 0.5 seconds later, it receives an IKE_AUTH request with the right IKE SPIs. It derives the keys (making any ECDH check that’s needed) It tries to decrypt the message The message fails to decrypt (or more likely, the MAC comparison fails) Now the responder has two options: (1) delete the entry in the half-open SA database, or (2) store the derived key, and keep the half-open SA another 9.5 seconds. (2) has the disadvantage that the attacker can keep sending more junk packets and get the responder to attempt to decrypt all of them. (1) has the disadvantage that an attacker can inject a junk IKE_AUTH request by just copying the IKE SPIs from the IKE_INIT response, which will prevent the responder from processing the real initiator’s IKE_AUTH request. So I’m not sure which is worse. Yoav _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
