On 4/9/2023 4:51 AM, Juliusz Chroboczek wrote:
Thank you for your review. I must, however, most respectfully disagree
with your conclusions: the protocol is not vulnerable to the attacks that
you describe.
In order to relax the packet counter checks used to detect duplicate messages,
the draft recommends doing separate checks for packets received in unicast and
multicast mode. However, the two modes use the same packet counter. Attackers
can replay in multicast mode packets send in unicast mode, and bypass the
proposed check.
No, they cannot. If a packet originally sent to a unicast address is
resent to a multicast address, this will be reflected in the pseudo-header
(RFC 8967 Section 4.1). Since the pseudo-header participates in HMAC
computation, this will cause the HMAC test to fail (RFC 8967 Section 4.3,
first bullet point).
You are correct. I have revised my review.
-- Christian Huitema
--
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call
