4

I'm trying to understand why would I have less security if I disable a replay attack protection in OpenVPN config. It's not really explained in the man page, only Don't use this option unless you are prepared to make a trade-off of greater efficiency in exchange for less security..

As far as I understand, an IP packets can be duplicated by design and every application using an IP should be ready to deal with it. And it's not a theoretical possibility, WiFi networks can produce duplicate packets. TCP stack is ready to handle duplicate packets, so for any TCP connection there's no problem with duplicate packets.

So the only problem I could see is that some buggy application might use UDP protocol and it's not ready to correctly handle duplicate packets, so attacker might produce those duplicate packets and trigger unusual behaviour. Is that correct? Is there any real facts of such vulnerabilities?

Matthew
  • 27,233
  • 7
  • 87
  • 101
vbezhenar
  • 257
  • 2
  • 6

1 Answers1

2

First, you need to fully understand Replay attacks.

A replay attack is an attack where an authentication session is replayed by an attacker to fool a computer into granting access. It may be any form or re-transmission of a network data transmission but is usually used to gain authentication.

So, it's not only a duplicate packet issue, and its danger is not about DoS attacks and other related problems.

And as for greater efficiency in exchange for less security, from OpenVPN website:

Replay protection is accomplished by tagging each outgoing datagram with an identifier that is guaranteed to be unique for the key being used. The peer that receives the datagram will check for the uniqueness of the identifier. If the identifier was already received in a previous datagram, OpenVPN will drop the packet. Replay protection is important to defeat attacks such as a SYN flood attack, where the attacker lis­ tens in the wire, intercepts a TCP SYN packet (identifying it by the context in which it occurs in relation to other packets), then floods the receiving peer with copies of this packet.

And that's explain the word greater efficiency, because the previous process takes its time.

Eibo
  • 2,485
  • 3
  • 19
  • 32
  • Doesn't such an authentication replay still require a buggy application that allows such a replayed authentication to succeed? There's no authentication within OpenVPN itself that is vulnerable to such a replay, is there? And while sure, applications with such replay vulnerabilities will be "more secure" with openvpn removing the potential for them, and "less secure" without that, but how much SHOULD openvpn be responsible for potential attack vectors that application layer software might expose? Seems a slippery slope to venture down, and costly ("greater efficiency in exchange...") – vontrapp May 31 '19 at 03:18