Re: SOI: identity protection and DOS

[Ari Huttunen <Ari.Huttunen@f-secure.com>]

Radia Perlman - Boston Center for Networking wrote:
> 
> Derek said:
> >>I happen to agree with Radia's point that you should try to protect
> >>the initiator's identity before the responder's identity (which
> >>implies the responder should authenticate to the initiator first).
> 
> Actually, Dan and Charlie changed my mind about that. The problem with
> the responder revealing identity information first is that ANYONE can
> initiate an IPsec connection to an IP address and find out who is there
> without ever divulging their identity.
> 
> If it's the initiator that reveals identity first then the only threat is
> from an active attacker impersonating the responder's IP address and lying
> in wait. (the initiator's ID is hidden from an eavesdropper and revealed
> only to whatever is sitting at the IP address the initiator connected to).
> If it's the responder that reveals identity first, then (assuming
> it's not a strict client/server model where the nodes that need identity
> protection never respond to IPsec connect initiates and only initiate
> them) it is trivial to find out who is at an IP address.
> 
> Radia

I suggest that the responder create an identity-encrypting-key once, and always 
sends it in message 2. Then on the first connection initiator's identity is 
vulnerable to active attackers, but on subsequent connections it is not, provided
the initiator remembers that key and barfs if it has changed. Then on message
3 the initiator encrypts its identity with that key.  

Compare this with the SSH protocol where the initiator remembers the responder's key.

Ari

-- 
"They that can give up essential liberty to obtain a little 
temporary safety deserve neither liberty nor safety." - Benjamin Franklin

Ari Huttunen                   phone: +358 9 2520 0700
Software Architect             fax  : +358 9 2520 5001

F-Secure Corporation       http://www.F-Secure.com 

F(ully)-Secure products: Securing the Mobile Enterprise