[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: some concerns about last IKEv2 draft

Francis Dupont writes:
>    >     BTW the "any authenticated IKE encapsulated ESP" wording is poor and
>    >     should be removed, or replaced by something which takes into account
>    >     the whole IPsec traffic (both for the detection of the address change
>    >     and for the update of the endpoint behind NAT address).
>    I think there was also typo, it should say:
>    "any authenticated UDP encapsulated ESP packet"
> => this is fine but doesn't take into account that these packets too
> should be sent to the IP address and port from the last valid...
> I.e., the "implicit peer address mechanism" for the peer behind a NAT
> should be applied to all the UDP 4500 IKE and ESP packets, not only
> to IKE packets. This is both more resilient (as explain at the beginning
> of the mentioned paragraph) but also more secure (a pseudo-NAT attacker
> has to stay on the path). BTW IMHO it is easier to implement too (only
> one state of the UDP 4500 stuff per peer).

I think the current draft does say that. It says that host not behind
NAT SHOULD send all packets to the last valid authenticated source
address seen from the peer. And then it says that both IKE packets and
UDP encapsulated ESP packets can be used to get that last
authenticated source address. 

>    In the current version attacker can cause packets to diver to
>    different address by modifying the packets on the fly, but only one by
>    one basis (i.e each packet needs to be diverted separately).
> => unfortunately this is true only for IKE itself, not for the IPsec
> traffic managed with IKE.

IPsec traffic does not change addresses at all unless there is NAT
between. The current draft explictly says that the IPsec SA is created
implictly between the ip address used for the IKE SA. I.e unless there
is NAT-T the ESP packets will always same source and destination IP
pair that what was used when they were negotiated.

There will be new wg/document describing how to change the address of
the already exising SAs later, but in the current document it is
simply said that it cannot be done yet.
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/