[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipsec-tools-devel
Subject:    Re: [Ipsec-tools-devel] strict DPD cookie check
From:       Roman Hoog Antink <rha () open ! ch>
Date:       2011-04-13 0:55:43
Message-ID: 4DA4F48F.1060809 () open ! ch
[Download RAW message or body]

Hi

Since I fail to see any security implication, I produced this patch that
makes racoon ignore the cookie content in DPD acks. This is in full
compliance to RFC 3706 and allows racoon to use DPD with old Cisco
devices that send inverted cookies (initiator/responder) in the
encrypted part of the packets.

This patch can also make DPD work with other vendors that do not send
valid cookies within the DPD payload at all.

Because the sequence number, which is in the encrypted part of DPD
packets, is still being checked, this does not mean that racoon will
accept bogus DPD acks.

Regards,
-Roman

["ignore-dpd-cookie.patch" (text/x-patch)]

diff -rup ipsec-tools-0.8.0.orig/src/racoon/isakmp_inf.c ipsec-tools-0.8.0/src/racoon/isakmp_inf.c
--- ipsec-tools-0.8.0.orig/src/racoon/isakmp_inf.c	2011-03-16 00:20:14.000000000 +1100
+++ ipsec-tools-0.8.0/src/racoon/isakmp_inf.c	2011-04-08 18:14:19.877082777 +1000
@@ -1467,9 +1467,18 @@ isakmp_info_recv_r_u_ack (iph1, ru, msgi
 
 	if (memcmp(ru->i_ck, iph1->index.i_ck, sizeof(cookie_t)) ||
 	    memcmp(ru->r_ck, iph1->index.r_ck, sizeof(cookie_t))) {
-		plog(LLV_ERROR, LOCATION, iph1->remote,
-			 "Cookie mismatch in DPD ACK!.\n");
-		return 0;
+		if (!memcmp(ru->i_ck, iph1->index.r_ck, sizeof(cookie_t)) &&
+		    !memcmp(ru->r_ck, iph1->index.i_ck, sizeof(cookie_t))) {
+			/* Some very old Cisco devices cause this. */
+			plog(LLV_DEBUG, LOCATION, iph1->remote,
+				"Reversed cookies in DPD ACK ignored.\n");
+		} else {
+			/* At least the sequence number and type were verified
+			 * above as encrypted payload (RFC 3706).
+			 */
+			plog(LLV_DEBUG, LOCATION, iph1->remote,
+				"Cookie mismatch in DPD ACK ignored.\n");
+		}
 	}
 
 	iph1->dpd_fails = 0;


------------------------------------------------------------------------------
Forrester Wave Report - Recovery time is now measured in hours and minutes
not days. Key insights are discussed in the 2010 Forrester Wave Report as
part of an in-depth evaluation of disaster recovery service providers.
Forrester found the best-in-class provider in terms of services and vision.
Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo

_______________________________________________
Ipsec-tools-devel mailing list
Ipsec-tools-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel


[prev in list] [next in list] [prev in thread] [next in thread]