>
> Yes, but when the attacker sends a message to the responder it replaces
> ck with C2 and the message will look like
>
> mi'=HDR | ck'=C2 | SAi' | g^xi' | ni' | notify_header | SAi | g^xi | ni
> | info_i
>
> If the length indicated in the notify_header will be equal to the length
> of SAi | g^xi | ni | info_i, then the responder will treat these
> payloads as a notify payload content and will ignore them.
> So, for the responder the message will look like:
>
> mi'=HDR | cookie | SA | KE | NONCE | Nx
>
> where Nx is some unknown notification.
[HJ] yes, you are right. So to summary what has been discussed previous in this
thread:
On Initiator side:
- This attack is impractical if the initiator's SPIi is unpredictable,
since it is infeasible for attacker to compute C1/C2 offline for all possible
SPIi. And it is impossible to compute C1/C2 online before client switch to a
different SPIi.
- On responder side:
- if responder is expecting a cookie, then the C2 won't match the
expecting cookie, responder will return the expecting cookie, this attack won't
work in this case.
- if responder is not expecting a cookie, then it could still verify
the cookie to prevent this attack. One of the checks could be done is a legit
cookie length must be <=64B.
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
