Greetings all! Over the holidays I wrote some code, for testing purposes, to exploit the DoS recently found in Microsoft's IKE implementation. Because of a simple coding error, the packets I was generating had a source port of 1024, _not_ a source port of 500 which is always associated with IKE traffic. The code, however, was still effective in causing a DoS condition on the target machine. I fixed the error, but this got me thinking. Everything I've read in documentation and experienced on production networks IKE packets always have a source port of 500. So why was Microsoft's IKE implementation happily accepting packets that didn't? Shouldn't this be one of the first things on the list to be checked before a packet is processed? All of the packet captures, books, research papers, reference information, newsgroup and mailinglist postings I went through referenced IKE packets having a source port of 500. Thinking back, all of the products I've worked with that specifically dealt with IKE traffic categorized this type of traffic by stating it would have a destination _and_ source port of 500. This further deepened my curiosity as to why Microsoft's implementation would process these packets. Deciding to go right to the source, I referred to the ISAKMP RFC: (from http://www.ietf.org/rfc/rfc2408.txt) 2.5.1 Transport Protocol ISAKMP can be implemented over any transport protocol or over IP itself. Implementations MUST include send and receive capability for ISAKMP using the User Datagram Protocol (UDP) on port 500. UDP Port 500 has been assigned to ISAKMP by the Internet Assigned Numbers Authority (IANA). Implementations MAY additionally support ISAKMP over other transport protocols or over IP itself. Notice that this doesn't specify that IKE packets _must_ have a source port of 500, it simply says 'port 500'. Can someone point me to any piece of documentation which specifies that IKE packets _must_ have a source port of 500? Is this one of those 'unofficial standards' and hence the reason for Microsoft's implementation processing these packets as normal? Thanks, Abe -- Abe L. Getchell Security Engineer abegetchellat_private
This archive was generated by hypermail 2b30 : Sat Dec 29 2001 - 18:14:36 PST