RE: [Hipsec] Question about HIP base exchange

["Henderson, Thomas R" <thomas.r.henderson at boeing.com>]

> -----Original Message-----
> From: Philip Matthews [mailto:philip_matthews at magma.ca] 
> Sent: Monday, September 17, 2007 2:14 PM
> To: HIP WG
> Subject: [Hipsec] Question about HIP base exchange
> 
> Say an Initiator wants to establish a HIP association with some node  
> with HIT Y. It sends off an I1 packet which travels through various  
> middleware boxes and finally arrives at some node that 
> purports to be  
> Y. This node, in turn, replies with an R1 packet which travels back  
> though middleware boxes to the Initiator. The two nodes then 
> exchange  
> I2 and R2 packets.
> 
> Question: At what point does the Initiator know that it really is  
> talking to node Y?     

When R2 is validated.

> In other words, what prevents an 
> attacker from  
> intercepting or caching an R2 response from HIT Y and 
> replaying it to  
> make the Initiator believe that it has HIT Y?

Each base exchange should use a different Diffie-Hellman key, and the
Diffie-Hellman keying material is used to extract the HMAC keys, so a
replayed R2 should fail the HMAC_2 verification.

> 
> I am guessing that the Initiator does not know that it is really  
> talking to HIT Y until it receives the R2 packet. Am I right?
> 

Yes, it is possible that an R1 could have been replayed, although the R1
generation counter is designed to limit the possibility of succumbing to
such an attack.

- Tom

_______________________________________________
Hipsec mailing list
Hipsec at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/hipsec