[HJ] according to this
figure(https://securityblog.redhat.com/wp-content/uploads/2016/01/sloth-ike-2.png):
The IKE_INIT request(m1') send to real responder contain infoi' at the end,
which equals=SAi|g^x|Ni|infoi,
so the actual m1'=HDR|C2|SAi'|g^x'|ni|SAi|g^x|ni|infoi; thus two SA, tw KE, two
Ni payloads; C2 is the cookie
payload in m1', it doesn't contain any payload. while the cookie payload in
m1(IKE_INIT request from release
initiator) does contain C1|SAi'|g^x’|ni
OK, but if those extra payloads are disguised as some notification (there is no
payload actually called “info”),
then responders do tend to ignore notifications they don’t recognize.
True, but in this case the inputs to the hash function will be different (you
need to insert Notification
payload header in the m`), so the attack will fail.
Yoav
Regards,
Valery.
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
