I must correct myself - if attacker takes care and puts the Notify
payload header at the end of ck it sends to initiator (and he must
correctly guess the length of info`), then it will work - all the
original payloads from the initiator will appear inside Notification
payload and will be ignored by responder.
[HJ] how would this work? even attack append a notification header in ck,
and return a ck= C1|SAi'|g^x'|ni| notify_header, then
m1(from real initiator)=HDR|(C1|SAi'|g^x'|ni| notify_header)_as_ck|SAi|g^x|ni|nat-t,
notify header is part of ck, won't be parsed as actual notify payload header.
Yes, but when the attacker sends a message to the responder it replaces
ck with C2 and the message will look like
mi'=HDR | ck'=C2 | SAi' | g^xi' | ni' | notify_header | SAi | g^xi | ni | info_i
If the length indicated in the notify_header will be equal to the length of SAi
| g^xi | ni | info_i,
then the responder will treat these payloads as a notify payload content and
will ignore them.
So, for the responder the message will look like:
mi'=HDR | cookie | SA | KE | NONCE | Nx
where Nx is some unknown notification.
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
