[anonsec] details of IKE/IPsec channel binding
Tero Kivinen
kivinen at iki.fi
Wed Mar 21 11:52:09 PDT 2007
Nicolas Williams writes:
> - Imagine I send a SYN packet protected with some SA, say, SPI 1001,
> but the SYN|ACK does not arrive in time so I retransmit, only this
> time I use a new SA (SPI 1002, say) because, say, the old one
> expired.
>
> We can get into a weird situation: the SA that _I_ see as the one
> used to protect the channel creation trigger is _different_ from the
> one seen by my peer, so we fail to agree on channel binding!
>
> This is how I came to add the notion of "end-point channel bindings" vs.
> "unique channel bindings."
As the first SPI 1001 already creted the IKE SA and generated the
SKEYSEED, even if you crete new IPsec SA (using the same IKE SA, I
assume) the value generated from the SKEYSEED stays same (it is tied
to IKE SA not to the IPsec SAs). I assume we are only talking about
IKEv2 here, as there is no point of doing any work on the obsoleted
protocols.
If you really destroyed the IKEv2 SA also between those two packets
then you would be seeing different value, but on the other hand same
happens, if you happen to recreate new private / public key pair
between those exchanges (and as IKEv2 SA will probably be there for
several minutes in any case, the only reason to tear it down quickly
is the change of the authentication information, like private /
public key pair, so that thing happening is not that uncommon when
comparing to first case).
Anyways you always need to take care of the case where some packet can
have two different channels bound to it, for example if some fragments
of the final packet arrived through the IPsec SA authenticated using
public key X of IKEv2 SA 1, and other parts came from IPsec SA using
public key Y of IKEv2 SA 2. This can happen if you use the
fragmentation handling from the rfc4301 where you put non-first
fragments to one SA (which might be created using the host public /
private key pair X) and first fragments are put to the port specific
IPsec SA which is created using users public / private key pair Y.
So there we are not talking about two different packets having
different channel binding values, we are talking of different parts of
the one packet having different channel bindings.
--
kivinen at safenet-inc.com
More information about the ANONSEC
mailing list