Unauthorized Deletion of IPSec (and ISAKMP) SAs in Racoon
15 Jan. 2004
KAME Project is "a joint effort to create single solid software set, especially targeted at IPv6/IPSec". Racoon, KAME's IKE daemon, contains some flaws, that allow unauthorized deletion of IPSec (and ISAKMP) SAs.
Racoon's "authentication" of delete messages
When racoon receives a delete message containing the initiator cookie of a main/aggressive/base mode, that has not yet setup a ISAKMP SA, it fulfills the request, if the message also includes a (dummy) hash payload and originates from the right IP address. See isakmp_main() in isakmp.c and purge_isakmp_spi(), purge_IPSec_spi(), isakmp_info_recv() and isakmp_info_recv_d() in isakmp_inf.c for details and amusement.
INITIAL-CONTACT with racoon
It is nearly the same with INITIAL-CONTACT notifications, but there is no need of a (dummy) hash payload and it's way more effective, because it deletes all IPSec SAs "relatived to the destination address". See isakmp_info_recv_n() and info_recv_initialcontact() in isakmp_inf.c for additional information.
Using delete messages
An IPSec tunnel between vpn-gw-a and vpn-gw-a is established: vpn-gw-a# setkey -D
<vpn-gw-a's IP address> <vpn-gw-b's IP address>
esp mode=tunnel spi=4127562105(0xf6059979) reqid=0(0x00000000)
<vpn-gw-b's IP address> <vpn-gw-a's IP address>
esp mode=tunnel spi=111058204(0x069e9d1c) reqid=0(0x00000000)
The attacker launches step 1 of his attack. He pretends to initiate a phase 1 exchange (with spoofed source IP address, of course):