Hi,
After second read it seems to me that there is one more obstacle to
that attack in real world.
It seems that attacker appends original initiator's SAi, KEi, Ni
payloads to its message sent to responder (as info`). So, this message
would contain two SA payloads, two KE payloads etc. I believe the
responder must return INVALID_SYNTAX in this case.
[HJ] agree, however I can't find any text in RFC7296 states responder need
to reject the request and return INVALID_SYNTAX in such case; an implementation
might choose to just simply ignore the subsequent redundant payload and proceed...
Sure, there is no such text in the RFC. However this requirement is implicit,
since
the pictures in the Appendix C.1 show those payloads that may appear multiple
times in the messages as PLD+. It is assumed that those payloads that don't have
the plus sign must appear only once (or not appear at all).
And if an implementation chooses to ignore the redundant payload, then
there is a question - which payload is redundant? There is no requirements
in the RFC that payloads come in a specific order, so one implementation may
think that the first payload is actual and the subsequent is redundant, while
the
other may think otherwise.
So I think INVALID syntax is the only proper response here.
Regards,
Valery.
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
