[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Future ISAKMP Denial of Service Vulnerablity Needs Addressing
Can anybody provide a description of or a pointer to this attack?
-Mike
"Michael H. Warfield" <mhw@wittsend.com> on 01/30/2000 08:08:05 PM
Sent by: "Michael H. Warfield" <mhw@wittsend.com>
To: Michael Richardson <mcr@solidum.com>
cc: ipsec@lists.tislabs.com, "Mr. Anderson" <neo@silkroad.com> (Mike
Borella/MW/US/3Com)
Subject: Re: Future ISAKMP Denial of Service Vulnerablity Needs Addressing
On Sun, Jan 30, 2000 at 06:30:57PM -0500, Michael Richardson wrote:
> Yes, it is widely known. It is not a serious flaw, it is a fact of life.
If you are referring to "cookie_crumb", yes it is "somewhat" known
(in some circles) and it seems to be moderately effective. I'm still
looking into how effective. As far as it being "a fact of life", that
is another question. There are arguements that there are ways to have
avoided it. When it comes down to brass tacks, when I publish a security
advisory saying this protocol is flawed and it could have been avoided, we
are not going to have a pretty sight. It remains particularly disturbing
that in spite of all the retoric at the IETF conferences about security
being built into protocols and standards, we still ended up with a SECURITY
protocol with potentially serious security flaws in it.
> Switching to TCP does nothing. If you naively implement ISAKMP on top
> of TCP, then you must include TCP SYN spoof protection, which is much more
> difficult to deploy and hard to provide different levels of protection for,
> say, HTTP servers vs ISAKMP daemons.
I believe the arguement was that the problem with creating state
due to spoofed packets could have been avoided. It has nothing to do with
tcp vs udp. I'm not at the bottom of it yet, but it appears that some
bad choices may have been made and some issues were not been given the
serious consideration they deserved.
> If you look at TCP SYN spoof protection, you'll discover that it involves
> the use of cookies as non-predictable sequence numbers, and thus is
> identically equivalent to what ISAKMP has.
Again... Not a tcp vs udp issue. Tcp spoof protection relies
fundamentally on the unpredicability of the sequence numbers, hence the
Kevin Mitnick style tcp spoofing attacks. The same thing could have been
done with ISAKMP cookies. It, aparently, was not. The failure to deal with
this possiblity (what Bruce Schneier describes as programming Satan's
computer - or designing in the face of active hostile intent) will force us
to correct this flaw in the long term. It would have been better if the
choice had not been to expose us to such security embarassments.
Unfortunately, we don't always have that luxury. Equally unfortunate is
all the vendors who are about to be dumped on due to "cookie_crumb".
> :!mcr!: | Solidum Systems Corporation, http://www.solidum.com
> Michael Richardson |For a better connected world,where data flows
faster<tm>
> Personal:
http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html
> mailto:mcr@sandelman.ottawa.on.ca mailto:mcr@solidum.com
Mike
--
Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com
(The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
Follow-Ups: