[HJ]So to summary what has been discussed previous in this thread:
On Initiator side:
- This attack is impractical if the initiator's SPIi is unpredictable, since it is infeasible
for attacker to compute C1/C2 offline for all possible SPIi. And it is impossible
to compute C1/C2 online before client switch to a different SPIi.
- On responder side:
- if responder is expecting a cookie, then the C2 won't match the expecting cookie,
responder will return the expecting cookie, this attack won't work in this case.
- if responder is not expecting a cookie, then it could still verify the cookie to prevent this attack.
One of the checks could be done is a legit cookie length must be <=64B.
I think that responder must verify the cookie if it is present, regardless
on whether it is expected to be present or not. And it must request
another cookie if the verification failed.
Regards,
Valery.
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
