> -----Original Message----- > From: IPsec [mailto:[email protected]] On Behalf Of EXT Yoav Nir > Sent: Friday, January 15, 2016 8:15 PM > To: Valery Smyslov > Cc: [email protected]; Paul Wouters; Scott Fluhrer (sfluhrer) > Subject: Re: [IPsec] SLOTH & IKEv2 > > > > On 15 Jan 2016, at 10:32 PM, Valery Smyslov <[email protected]> wrote: > > > > > >>> What about the responder - he doesn't see any cookie in this attack > >>> - the attacker sends the crafted cookie only to the initiator and > >>> sends a crafted IKE_SA_INIT message w/o cookie to the responder (as > far as I understand the attack). > >> > >> There is a cookie. See Figure 12 in Paul’s blog post: > >> https://securityblog.redhat.com/2016/01/13/the-sloth-attack-and-ikeip > >> sec/ > > > > Ah, you are right. I missed that in a quick read. > > > > After second read it seems to me that there is one more obstacle to > that attack in real world. > > It seems that attacker appends original initiator's SAi, KEi, Ni > > payloads to its message sent to responder (as info`). So, this message > > would contain two SA payloads, two KE payloads etc. I believe the > responder must return INVALID_SYNTAX in this case. > > IIUC there are no two SA payloads and two KE payloads. All of those are > part of the “cookie” sent to the real Responder. That is why it’s so > large.
[HJ] according to this figure(https://securityblog.redhat.com/wp-content/uploads/2016/01/sloth-ike-2.png): The IKE_INIT request(m1') send to real responder contain infoi' at the end, which equals=SAi|g^x|Ni|infoi, so the actual m1'=HDR|C2|SAi'|g^x'|ni|SAi|g^x|ni|infoi; thus two SA, tw KE, two Ni payloads; C2 is the cookie payload in m1', it doesn't contain any payload. while the cookie payload in m1(IKE_INIT request from release initiator) does contain C1|SAi'|g^x'|ni _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
