Re: [IPsec] Review of the RoHC over IPsec drafts

To: Tero Kivinen <kivinen at iki.fi>
Subject: Re: [IPsec] Review of the RoHC over IPsec drafts
From: Yoav Nir <ynir at checkpoint.com>
Date: Tue, 9 Sep 2008 16:02:00 +0300
Cc: rohc at ietf.org, ertekin_emre at bah.com, pezeshki_jonah at bah.com, jasani_rohan at bah.com, ipsec at ietf.org, christou_chris at bah.com, cabo at tzi.org
Delivered-to: ietfarch-ipsec-archive at core3.amsl.com
Delivered-to: ipsec at core3.amsl.com
In-reply-to: <18630.28015.487667.355981 at fireball.kivinen.iki.fi>
List-archive: <http://www.ietf.org/pipermail/ipsec>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: Discussion of IPsec protocols <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <674C0769-E278-4A59-A490-7634F2B0FF83 at checkpoint.com> <18630.28015.487667.355981 at fireball.kivinen.iki.fi>
Sender: ipsec-bounces at ietf.org

On Sep 9, 2008, at 3:34 PM, Tero Kivinen wrote:

> Yoav Nir writes:
>> The IKE & IPsec drafts talk about the use of integrity algorithms to
>> verify that decompression was successful. According to section 2.1 of
>> the IKEv2 draft, these algorithms are the same algorithms (with
>> associated keys) as those used in IPsec. I can't figure out why you
>> would want this. The entire packet, compressed header and data
>> included, is already integrity protected by IPsec. An attacker can't
>> flip any bits because of the ESP ICV, so the RoHC ICV is simply there
>> to detect decompression errors. I don't see why we need to exceed the
>> recommendation in RFC 4995 to use CRC. Even if you have decided that
>> you want to upgrade error-detection ICV to a cryptographically strong
>> one, HMAC doesn't offer any benefit that I can see - you could use
>> straight MD5 or SHA-1 without any key, but I still don't see why CRC
>> is not good enough.
>
> Attacker cannot flip bits, but it can remove entire packets. As the
> rohc is statefull compression, removing packets will affect the state
> of the decompressor, thus by removing selected packets from the stream
> attacker can cause some future packets to be authenticated and
> decrypted correctly, but decompressed after that by using wrong state,
> thus causing the end packets to be different from the original packet.
> As the IPsec is there to protect that there cannot be any
> modifications to the packets, this implies that we also want to detect
> this kind of attacks. Because of this we do need some kind of message
> authentication code after the decompression to make sure the packet
> matches the packet that was sent.

I agree, but I'm not saying that we don't need an ICV for the  
decompression, just that we don't need HMAC-SHA1. CRC is good enough  
to detect a mismatched decompressor state.
_______________________________________________
IPsec mailing list
IPsec at ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Follow-Ups:
- Re: [IPsec] Review of the RoHC over IPsec drafts
  - From: Pasi.Eronen

References:
- [IPsec] Review of the RoHC over IPsec drafts
  - From: Yoav Nir
- [IPsec] Review of the RoHC over IPsec drafts
  - From: Tero Kivinen

Prev by Date: Re: [IPsec] Review of the RoHC over IPsec drafts
Next by Date: Re: [IPsec] Secure Crash Discovery for IKEv2
Previous by thread: Re: [IPsec] Review of the RoHC over IPsec drafts
Next by thread: Re: [IPsec] Review of the RoHC over IPsec drafts
Index(es):
- Date
- Thread

Re: [IPsec] Review of the RoHC over IPsec drafts

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.