Jeff,
On Tuesday, February 6, 2024, 01:51:59 PM EST, Jeffrey Haas
<[email protected]> wrote:
Reshad,
On Feb 6, 2024, at 11:51 AM, Reshad Rahman <[email protected]> wrote:
Jeff, you mention below that NULL auth with sequence numbers is impractical to
use for optimizing authentication. I agree that NULL auth doesn't help with an
active attacker, but it still gives protection against "random" attacks?
Unfortunately not in all circumstances. The attack in this case is a form of
"blind injection" attack. As John notes in other bit of the thread, when
sessions are protected via GTSM, this limits where the attack can come from.
So, this would apply to whomever can inject packets that successfully get past
the other necessary checks.<RR> Ack, I get that part. I should have said "some
protection" but yes the blind injection can get lucky.
TCP is vulnerable vs. some flavors of this as well. Long lived tcp sessions,
such as BGP, need the protections covered by tcp-md5/ao or other protection
such as ipsec to guard against such things.
ISAAC works for active attacks but I don't understand why no-auth still works,
no-auth is weaker than NULL auth: you don't need to be an active attacker to
knock over a session with no-auth?
With no-auth, the only thing you can say is "the session is still up". In the
optimized case we're guarding against parameter changes so that's all we get to
do.<RR> What I don't understand is no-auth still works in the statement below:
if NULL auth is impractical, so should no-auth. What I am missing?"1. NULL auth
and using the sequence numbers becomes impractical to use for optimizing
authentication procedures. ISAAC and no-auth still work. "
