Re: [IPsec] Regarding ISAKMP SA lifetime negotiation.
Paul Wouters <paul@cypherpunks.ca> Wed, 06 March 2013 17:09 UTC
Return-Path: <paul@cypherpunks.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4CED21F8AE7 for <ipsec@ietfa.amsl.com>; Wed, 6 Mar 2013 09:09:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.39
X-Spam-Level:
X-Spam-Status: No, score=-1.39 tagged_above=-999 required=5 tests=[AWL=1.209, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7cb1z1o0cPRb for <ipsec@ietfa.amsl.com>; Wed, 6 Mar 2013 09:09:26 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) by ietfa.amsl.com (Postfix) with ESMTP id 48FC721F8AC2 for <ipsec@ietf.org>; Wed, 6 Mar 2013 09:09:26 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3ZLhKG17D5z9dQ; Wed, 6 Mar 2013 12:09:22 -0500 (EST)
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id FuguIC9PIik7; Wed, 6 Mar 2013 12:09:21 -0500 (EST)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) by mx.nohats.ca (Postfix) with ESMTP; Wed, 6 Mar 2013 12:09:20 -0500 (EST)
Received: by bofh.nohats.ca (Postfix, from userid 500) id 8B2B380D39; Wed, 6 Mar 2013 12:09:21 -0500 (EST)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 7E4E5804F3; Wed, 6 Mar 2013 12:09:21 -0500 (EST)
Date: Wed, 06 Mar 2013 12:09:21 -0500
From: Paul Wouters <paul@cypherpunks.ca>
X-X-Sender: paul@bofh.nohats.ca
To: Tero Kivinen <kivinen@iki.fi>
In-Reply-To: <20789.55344.544698.606624@fireball.kivinen.iki.fi>
Message-ID: <alpine.LFD.2.03.1303061203140.12957@nohats.ca>
References: <0E86FFD429E5FA4A97B86698F6C32AF81C271A91@xmb-rcd-x04.cisco.com> <20788.45136.1741.27834@fireball.kivinen.iki.fi> <AE23EA6D-D6D2-43C1-AEBC-0D4F4A299B75@checkpoint.com> <0E86FFD429E5FA4A97B86698F6C32AF81C271B6F@xmb-rcd-x04.cisco.com> <20789.55344.544698.606624@fireball.kivinen.iki.fi>
User-Agent: Alpine 2.03 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format="flowed"; charset="US-ASCII"
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, Yoav Nir <ynir@checkpoint.com>, "Anoop V A (anova)" <anova@cisco.com>
Subject: Re: [IPsec] Regarding ISAKMP SA lifetime negotiation.
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Mar 2013 17:09:27 -0000
On Tue, 5 Mar 2013, Tero Kivinen wrote: > As I pointed out earlier, attacker can MODIFY the notification data, > so they can change the life time stored inside the notification data > (there are some difficulties there, but lets not go to them). On the > other hand you would never accept any lifetime that would not be > accordingly to your own policy anyways, so this attack isn't that > effective in this case, as attacker can only change lifetime to > something that you would otherwise accept. So in worst case you are in > the same situation you were without this notification. > >> I understand may be other implementation will avoid this extra >> notify - but is there any violation in sending this extra notify in >> these messages? > > Most likely they will ignore the extra notify, but to be safe it might > be better to add vendor id payloads and only send notify if the other > end is sending known vendor id. There are some quite bad IKEv1 > implementations out there, and I would not even try to guess what they > might do when they get extra notification payloads. I already see some different vendorids for this coming in at times. The openswan/libreswan implementations ignore this vid, however I have been thinking about trying to make use of it on the initiator. It is useful if the responder is set to never rekey. If you don't take their lifetime into account, the IPsec SA can silently die (Cisco does this to me) if their lifetime is shorter. Or the remote could send a Delete/Notify and then the tunnel could be briefly down while the initiator re-initiates. The work around now is to ensure to set the keylife shorter on the initiator so you avoid these issues, but that requires manual and per case configuration. Paul
- [IPsec] Regarding ISAKMP SA lifetime negotiation. Anoop V A (anova)
- [IPsec] Regarding ISAKMP SA lifetime negotiation. Tero Kivinen
- Re: [IPsec] Regarding ISAKMP SA lifetime negotiat… Yoav Nir
- Re: [IPsec] Regarding ISAKMP SA lifetime negotiat… Anoop V A (anova)
- Re: [IPsec] Regarding ISAKMP SA lifetime negotiat… Tero Kivinen
- Re: [IPsec] Regarding ISAKMP SA lifetime negotiat… Tero Kivinen
- Re: [IPsec] Regarding ISAKMP SA lifetime negotiat… Paul Wouters