Re: simplifying rekeying [draft-jenkins-ipsec-rekeying-06.txt]
Bill Sommerfeld <sommerfeld@East.Sun.COM> Mon, 17 July 2000 01:40 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id SAA24264; Sun, 16 Jul 2000 18:40:01 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id UAA12150 Sun, 16 Jul 2000 20:10:34 -0400 (EDT)
Message-Id: <200007170018.e6H0IVJ113187@thunk.east.sun.com>
From: Bill Sommerfeld <sommerfeld@East.Sun.COM>
To: hugh@mimosa.com
cc: Dan Harkins <dharkins@cips.nokia.com>, Henry Spencer <henry@spsystems.net>, IPsec List <ipsec@lists.tislabs.com>, Hugh Daniel <hugh@toad.com>, John Gilmore <gnu@toad.com>
Subject: Re: simplifying rekeying [draft-jenkins-ipsec-rekeying-06.txt]
In-reply-to: Your message of "Sun, 16 Jul 2000 14:35:30 EDT." <Pine.LNX.4.21.0007161228070.21743-100000@redshift.mimosa.com>
Reply-to: sommerfeld@East.Sun.COM
Date: Sun, 16 Jul 2000 20:18:30 -0400
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
Having just spent some time beating my head against a related issue (quick mode state management) in interoperability testing, it's clear that the whole phase-2 "message-id" (really "transaction id") and the implicit initialization vector chaining approach is just extremely fragile from a protocol point of view, leading to all sorts of finger-pointing when debugging. one commonly sees the following if a quick mode exchange which runs "slow" (particularly when you have logging, etc., cranked up all the way), leading one party to retransmit: - both packets are received; the first one is handled properly, advancing the IV and similar state in the phase 2 transaction. - the second packet is decrypted using the new (wrong) IV state, resulting in a decrypted packet in which the first block of the plaintext is garbled. - the garbled packet is fed to the isakmp parser, where any of a number of things could happen before the parser decides the packet is too broken to live. almost certainly, it's not going to be able to find the HASH payload at all so it can't even verify the integrity of the rest of the message.. - the receiver typically then sends a (spurious) NOTIFY message informing the sender that a message, broken in one of many possible ways, has been received. An alternative case occurs when the initiator doesn't like the responder's reply, and just drops the phase 2 exchange state. the retransmitted message from the responder is then treated as a "new" QM transaction, which, as above, is garbled on decryption. No, this isn't a "security flaw" in the protocol. It's simply non-robust protocol design.. it's exactly when retransmissions are occuring that you *don't* want to burden the network with additional spurious traffic. - Bill
- simplifying rekeying [draft-jenkins-ipsec-rekeyin… D. Hugh Redelmeier
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… Jan Vilhuber
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… D. Hugh Redelmeier
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… Dan Harkins
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… Jan Vilhuber
- RE: simplifying rekeying [draft-jenkins-ipsec-rek… Andrew Krywaniuk
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… Henry Spencer
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… Dan Harkins
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… D. Hugh Redelmeier
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… Bill Sommerfeld
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… Dan Harkins
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… Valery Smyslov
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… Bill Sommerfeld
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… Paul Koning
- RE: simplifying rekeying [draft-jenkins-ipsec-rek… D. Hugh Redelmeier
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… Valery Smyslov
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… David W. Faucher
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… Dan Harkins
- Re: simplifying rekeying [draft-jenkins-ipsec-rek… D. Hugh Redelmeier