And again for IKE_AUTH, I don't see why with fragmentation you need
one puzzle solution per fragment. The major CPU cost (DH computation,
certificate stuff and decryption) comes once, after the message is
re-assembled. So it seems to me only one puzzle response is needed for
the entire message.
In this case the responder would become succeptible to the attack
when attacker emits forged fragments, that takes place of
good fragments from legitimate initiator in the reassembly queue.
To detect the forgery responder needs to check fragment
authenticity before inserting it into the reassembly queue.
That would require performing DH and calculating
SK_a*, but that is what we are willing to defer unless peer
proves that it is really really wants to setup connection and
is ready to spend quite a lot of resources to do it.
It would be possible to protect with puzzle only the very
first fragment, because as we have calculated SK_a*
it takes very little resources to verify the other fragments,
but fragments can arrive in any order, so puzzle must be
in each fragment. That is a bit unfortunate for the initiator, I admit.
I get your point, but I think this is more than unfortunate, this is
real ugly. RFC 7383 is primarily about IKE_AUTH, and now, in the case of
those broken networks that limit the MTU, we are reducing the effective
MTU yet again.
But I think we're looking at the wrong problem. Let us look at why we
might need to add puzzles to IKE_AUTH at all. There are two cases:
- The IKE SA is set up by a valid initiator.
- The IKE SA is set up by an attacker.
In the first case, the responder needs to compute SKEYSEED anyway. It
should compute it once and cache it, even if it sees multiple bogus
IKE_AUTH messages sent by attackers. Verifying IKE_AUTH messages is
cheap once SKEYSEED has been computed, because you only need to verify
that the SK integrity protection is valid. The (valid) initiator "pays
the price" once, in the form of an IKE_SA_INIT puzzle.
In the second case, the attacker also pays the price if we have a puzzle
attached to IKE_SA_INIT. And the responder only computes SKEYSEED once,
and caches the result. Since SKEYSEED is known to the attacker, it can
send valid SK payloads, and the responder is forced to validate the
certificate (expensive). So attaching a puzzle to IKE_AUTH is justified,
to make the attacker pay for each certificate validation.
But this also shows that the IKE_SA_INIT puzzle is sufficient to
counteract the cost of computing SKEYSEED (which is all you need for
reassembly), and when even using fragmentation, this is only done once.
Thanks,
Yaron
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
