Re: [Ipsec] Purpose of sequence numbers

["Steven M. Bellovin" <smb at research.att.com>]

In message <418A39B2.4020902 at astaro.de>, Ulrich Weber writes:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Hi all,
>
>at the moment I'm writing a thesis about a IPSec takeover solution. One crux
>are sequence numbers. IKEv2 plans to add sequence numbers even for IKE SA's.
>
>But I don't get the meaning of sequence numbers in IPSec at all. What are
>their purpose ?
>
>Most of the encrypted traffic is tcp, which has its own sequence number and
>is invulnerable against Ipsec replay attacks.
>Secound biggest amount of traffic is udp. Ok its vulnerable against replay
>attacks, but what harm could someone do with dns replay attacks, where no
>data can be modified within the udp packet ?
>
>So the only possibilty I can think of are DOS attacks to consume as much cpu
>power for decrypting ipsec packets as possible.
>
>
>Arent the SPI numbers sufficient enough to prevent third party attackers (who
>are not able to sniff the ipsec traffic) from dos attacks ?
>
>So any DOS attack has to come from one of the two sides and has to be able to
>sniff the packets. However a local 100MBit connection should be sufficient
>enough to DOS a IPSec system even with wrong seq numbers.
>


See http://www.research.att.com/~smb/papers/badesp.ps (or .pdf), 
Steven M. Bellovin, "Problem Areas for the IP Security Protocols," in
Proceedings of the Sixth Usenix Unix Security Symposium, pp. 1-16,
San Jose, CA, July 1996.

		--Steve Bellovin, http://www.research.att.com/~smb



_______________________________________________
Ipsec mailing list
Ipsec at ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec