All,
Lakshminath, in his review of the draft, raised a question
on how replay
protection is handled in
draft-vidya-mipshop-handover-keys-aaa-02. A
brief summary of the currently specified behavior:
The HKReq/HKResp messages contain a message ID and a
sequence number.
Both are randomly chosen by the MN in the HKReq. The message
ID stays
the same in retransmissions, while the sequence number is
incremented
for every retransmission. The HKReq message is integrity
protected using
a key that the MN shares with the AAA server. If an
adversary replayed
the HKReq as-is, the AR would be able to drop that packet,
since it must
never receive multiple HKReq messages with the same message
ID and
sequence number from an MN. If the adversary changed the
sequence number
and transmitted the HKReq, this message will only be dropped
at the AAA
server (due to a failed integrity check). Basically, the
sequence number
was included to detect blind replays at the AR, so that such
replayed
messages are not sent to the AAA server.
The protocol, in addition, has timestamp-based replay
protection
end-to-end (however, it is specified as optional). The
timestamp
provides "absolute" end-to-end replay protection
between the MN and AAA
server.
Lakshminath raised the point that differentiating between
such "blind"
replays where the adversary replays the packet with no
modifications and
replays where the adversary does modify the packet to pass
through the
AR is unnecessary. At the time of writing the draft, we
debated the
inclusion of the sequence number in addition to the message
ID quite a
bit and felt that it does have some value.
Does anyone have thoughts on whether such a distinction in
message
replays is needed/useful?
Thanks,
Vidya
ps: Lakshminath, please correct me if I have misstated your
comment
here.
_______________________________________________
Mipshop mailing list
Mipshop ietf.org
https:
//www1.ietf.org/mailman/listinfo/mipshop
|