Reshad,
> On Feb 6, 2024, at 11:51 AM, Reshad Rahman <res...@yahoo.com> wrote: > > Jeff, you mention below that NULL auth with sequence numbers is impractical > to use for optimizing authentication. I agree that NULL auth doesn't help > with an active attacker, but it still gives protection against "random" > attacks? Unfortunately not in all circumstances. The attack in this case is a form of "blind injection" attack. As John notes in other bit of the thread, when sessions are protected via GTSM, this limits where the attack can come from. So, this would apply to whomever can inject packets that successfully get past the other necessary checks. TCP is vulnerable vs. some flavors of this as well. Long lived tcp sessions, such as BGP, need the protections covered by tcp-md5/ao or other protection such as ipsec to guard against such things. > ISAAC works for active attacks but I don't understand why no-auth still > works, no-auth is weaker than NULL auth: you don't need to be an active > attacker to knock over a session with no-auth? With no-auth, the only thing you can say is "the session is still up". In the optimized case we're guarding against parameter changes so that's all we get to do. It's the introduction of sequence number checks vs. the existing meticulous sequence number procedures we see similar to md5 or sha-1 that introduce the problematic edge case. -- Jeff
