[VPN] Is IP address spoofing possible with ESP transport mode?
Siddhartha Jain
losttoy2000 at yahoo.co.uk
Tue Feb 8 02:48:31 EST 2005
The need for origin authenticity is to avoid
man-in-the-middle attacks where an attacker sits in
the middle of the conversation and *proxies* the
connection.
With ESP in trasnport mode, that isn't possible
because the payload is encrypted so a
man-in-the-middle wouldn't be able to grab the data.
Spoofing IP addresses with Transport-mode ESP will
only give you routing headaches ;)
- Siddhartha (CISSP)
--- Son Phan <son_ml at freemail.hu> wrote:
> Hello IPSec folks,
>
> As far as I know IP header is not protected in ESP
> mode, so in transport
> mode the source IP may be modified.
>
> Imagine the following scenario:
>
> -Bad guy Bob setup an transport ESP SA with server
> S. The SA is
> identified by S's IP address, SPI and SA mode (ESP)
>
> -After setting up this SA, Bob send an IP packet
> protected with this SA's
> parameter, but put Victim Alice's IP address as into
> source IP address.
> As {dest_IPaddr, SPI, mode} trio point to the valid
> SA, the packet can
> be decrypted successfully. However the result will
> be a IP with fake
> source IP address.
>
> Question:
> -Can that case really happen or did I miss
> something?
>
> -There is a source address field in SA. Is it
> mandatory to check this value
> against the source IP address to protect the above
> case? I have some
> doubt about it as it can be wildcast in many cases.
>
> -Is there any measure to protect the case described
> here?
___________________________________________________________
ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com
More information about the VPN
mailing list