[IPsec] Review of the RoHC over IPsec drafts

To: Yoav Nir <ynir at checkpoint.com>
Subject: [IPsec] Review of the RoHC over IPsec drafts
From: Tero Kivinen <kivinen at iki.fi>
Date: Tue, 9 Sep 2008 15:34:55 +0300
Cc: rohc at ietf.org, ertekin_emre at bah.com, pezeshki_jonah at bah.com, jasani_rohan at bah.com, ipsec at ietf.org, christou_chris at bah.com, cabo at tzi.org
Delivered-to: ietfarch-ipsec-web-archive at core3.amsl.com
Delivered-to: ipsec at core3.amsl.com
In-reply-to: <674C0769-E278-4A59-A490-7634F2B0FF83 at checkpoint.com>
List-archive: <http://www.ietf.org/pipermail/ipsec>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: Discussion of IPsec protocols <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <674C0769-E278-4A59-A490-7634F2B0FF83 at checkpoint.com>
Sender: ipsec-bounces at ietf.org

Yoav Nir writes:
> The IKE & IPsec drafts talk about the use of integrity algorithms to  
> verify that decompression was successful. According to section 2.1 of  
> the IKEv2 draft, these algorithms are the same algorithms (with  
> associated keys) as those used in IPsec. I can't figure out why you  
> would want this. The entire packet, compressed header and data  
> included, is already integrity protected by IPsec. An attacker can't  
> flip any bits because of the ESP ICV, so the RoHC ICV is simply there  
> to detect decompression errors. I don't see why we need to exceed the  
> recommendation in RFC 4995 to use CRC. Even if you have decided that  
> you want to upgrade error-detection ICV to a cryptographically strong  
> one, HMAC doesn't offer any benefit that I can see - you could use  
> straight MD5 or SHA-1 without any key, but I still don't see why CRC  
> is not good enough.

Attacker cannot flip bits, but it can remove entire packets. As the
rohc is statefull compression, removing packets will affect the state
of the decompressor, thus by removing selected packets from the stream
attacker can cause some future packets to be authenticated and
decrypted correctly, but decompressed after that by using wrong state,
thus causing the end packets to be different from the original packet.
As the IPsec is there to protect that there cannot be any
modifications to the packets, this implies that we also want to detect
this kind of attacks. Because of this we do need some kind of message
authentication code after the decompression to make sure the packet
matches the packet that was sent.
-- 
kivinen at safenet-inc.com
_______________________________________________
IPsec mailing list
IPsec at ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Follow-Ups:
- Re: [IPsec] Review of the RoHC over IPsec drafts
  - From: Yoav Nir
- Re: [IPsec] Review of the RoHC over IPsec drafts
  - From: Yaron Sheffer

References:
- [IPsec] Review of the RoHC over IPsec drafts
  - From: Yoav Nir

Prev by Date: [IPsec] FW: [rohc] CDRs for ROHCoIPSec
Next by Date: Re: [IPsec] IPsec Digest, Vol 53, Issue 3
Previous by thread: [IPsec] Review of the RoHC over IPsec drafts
Next by thread: Re: [IPsec] Review of the RoHC over IPsec drafts
Index(es):
- Date
- Thread

[IPsec] Review of the RoHC over IPsec drafts

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.