From 6f57449164af95ef7846cc54fb60c9268dfe317b Mon Sep 17 00:00:00 2001 From: Ilia Shipitsin Date: Sat, 22 Jun 2024 18:53:35 +0200 Subject: [PATCH] src/Cedar/Proto_IKE.c: ignore packets with no IPSec SA many thanks to Jonathan Phillibert from Amazon Web Services for investigating and reporting that responding to such packets might lead to traffic amplification --- src/Cedar/Proto_IKE.c | 34 ++++------------------------------ 1 file changed, 4 insertions(+), 30 deletions(-) diff --git a/src/Cedar/Proto_IKE.c b/src/Cedar/Proto_IKE.c index beaf09ab..5d407494 100644 --- a/src/Cedar/Proto_IKE.c +++ b/src/Cedar/Proto_IKE.c @@ -463,39 +463,13 @@ void ProcIPsecEspPacketRecv(IKE_SERVER *ike, UDPPACKET *p) seq = READ_UINT(src + sizeof(UINT)); // Search and retrieve the IPsec SA from SPI + + // thank to @phillibert report, responding to bad SA might lead to amplification + // according to RFC4303 we should drop such packets + ipsec_sa = SearchClientToServerIPsecSaBySpi(ike, spi); if (ipsec_sa == NULL) { - // Invalid SPI - UINT64 init_cookie = Rand64(); - UINT64 resp_cookie = 0; - IKE_CLIENT *c = NULL; - IKE_CLIENT t; - - - Copy(&t.ClientIP, &p->SrcIP, sizeof(IP)); - t.ClientPort = p->SrcPort; - Copy(&t.ServerIP, &p->DstIP, sizeof(IP)); - t.ServerPort = p->DestPort; - t.CurrentIkeSa = NULL; - - if (p->DestPort == IPSEC_PORT_IPSEC_ESP_RAW) - { - t.ClientPort = t.ServerPort = IPSEC_PORT_IPSEC_ISAKMP; - } - - c = Search(ike->ClientList, &t); - - if (c != NULL && c->CurrentIkeSa != NULL) - { - init_cookie = c->CurrentIkeSa->InitiatorCookie; - resp_cookie = c->CurrentIkeSa->ResponderCookie; - } - - SendInformationalExchangePacketEx(ike, (c == NULL ? &t : c), IkeNewNoticeErrorInvalidSpiPayload(spi), false, - init_cookie, resp_cookie); - - SendDeleteIPsecSaPacket(ike, (c == NULL ? &t : c), spi); return; }