Hi Paul,
Can't an off-path attacker DoS the gateway if they can guess the SPI
values? We never mandated that SPIs should be random (except for RFC
6290, in Sec. 9.3, but this is rarely implemented), so implementations
are free to use very small integers for the SPIs. In fact I think we
should reconsider mandating random SPIs once again.
Thanks,
Yaron
On 03/14/2013 04:51 PM, Paul Wouters wrote:
On Thu, 14 Mar 2013, Tero Kivinen wrote:
As earlier explained not doing that allows very wasy DoS attack, which
allows IKEv2 to finish by just sending very few packets, i.e. you send
one corrupted fragment to the packet and if you do that before
responder gets the correct fragment, the responder stores it for
reassembly and after it reassembles the packet it will only then
notice that the packet is corrupted, and then it needs to throw the
whole packet away. It cannot know which of the fragment is corrupted.
This means the initiator needs to retransmit whole packet, i.e. all
fragments of it, and attacker can do this again.
Note that requires an observer that can see your cookies/spi. Which would
mean a local attacker, whom could just as easilly send you nonsense
forged from the remote endpoint - as they are guaranteed to answer
faster. You'd be decrypting thousands of packets to find the needle in
the haystack. I wonder what the chances then are that you don't end up
dropping teh valid fragment.
If the attacker is not local, they need to be in your path to know the
spi/cookies, and they can just filter out the valid fragments.
But I see your point, it does raise the bar a little bit. Although I'm
not convinced it's worth it.
Paul
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
