"ISAKMP" flaws?

[Steven M. Bellovin]

In message <p0623095bbf9fcc37f2d1@[10.20.30.249]>, Paul Hoffman writes:
>At 10:14 AM -0500 11/15/05, Perry E. Metzger wrote:
>>Some articles have been appearing in various web sites about flaws in
>>IPSec key negotiation protocols, such as this one:
>>
>>http://news.com.com/VPN+flaw+threatens+Internet+traffic/2100-1002_3-5951916.h
>tml
>>
>>I haven't been following the IPSec mailing lists of late -- can anyone
>>who knows details explain what the issue is?
>
>The advisory itself is at 
><http://www.uniras.gov.uk/niscc/docs/br-20051114-01013.html?lang=en>. 
>Note that the abstract is "Multiple Vulnerability Issues in 
>Implementation of ISAKMP Protocol", with emphasis on "Implementation 
>of". It appears that this is *not* a problem with ISAKMP or IKE, but 
>instead only a problem with some implementations. A summary would be 
>"when some IKEv1 implementations are sent certain malformed messages, 
>they stop, reboot, or possibly do other bad things".
>
>Given that they started this research with sending malformed SNMP 
>packets to SNMP-aware systems (with similar results), it is safe to 
>extrapolate the results to implementations of nearly any protocol to 
>varying extents. It is likely that this applies to IKEv2 as well, but 
>using differently-malformed packets. It is also likely that it 
>applies to some SSL/TLS implementations, of course using very 
>different malformed packets.
>

I mostly agree with you, with one caveat: the complexity of a spec can 
lead to buggier implementations.  Sure, even relatively simple 
protocols can be implemented poorly, but complex ones have more places 
to go wrong.  (It's instructive, I might add, to read RFC 1025, 
especially the part about "dirty blows".)

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com