[anonsec] details of IKE/IPsec channel binding
Nicolas Williams
Nicolas.Williams at sun.com
Wed Mar 21 12:33:34 PDT 2007
On Wed, Mar 21, 2007 at 08:52:09PM +0200, Tero Kivinen wrote:
> Nicolas Williams writes:
> > - Imagine I send a SYN packet protected with some SA, say, SPI 1001,
> > but the SYN|ACK does not arrive in time so I retransmit, only this
> > time I use a new SA (SPI 1002, say) because, say, the old one
> > expired.
> >
> > We can get into a weird situation: the SA that _I_ see as the one
> > used to protect the channel creation trigger is _different_ from the
> > one seen by my peer, so we fail to agree on channel binding!
> >
> > This is how I came to add the notion of "end-point channel bindings" vs.
> > "unique channel bindings."
>
> As the first SPI 1001 already creted the IKE SA and generated the
> SKEYSEED, even if you crete new IPsec SA (using the same IKE SA, I
> assume) the value generated from the SKEYSEED stays same (it is tied
> to IKE SA not to the IPsec SAs). I assume we are only talking about
> IKEv2 here, as there is no point of doing any work on the obsoleted
> protocols.
This needs to work for IKEv1. Assuming that the IKE_SA is still around
is not a good assumption.
Besides, the used of the public key values of the two peers as the
channel binding suffices.
Nico
--
More information about the ANONSEC
mailing list