[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

peer address protection

To: ipsec@xxxxxxxxxxxxxxxxx
Subject: peer address protection
From: Francis Dupont <Francis.Dupont@xxxxxxxxxxxxxxxx>
Date: Tue, 07 Jan 2003 18:41:23 +0100
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx

Peer addresses (as defined in draft-ietf-ipsec-pki-profile-01.txt) are
not protected in IKE (not always in IKEv1, not at all in IKEv2 with
revised identities). This opens a security hole, not against IKE itself,
but using IKE to divert traffic (i.e., not a property we'd like for a
security protocol).
 The I-D editor has just announced the new version of my I-D about
the transient pseudo-NAT attack and its application to Mobile IPv4
(documented in the security section of the NAT traversal extension)
and to IKE... Its name is draft-dupont-transient-pseudonat-01.txt.
 I believe we should fix the issue (the security flaw) for the next
version of the IKEv2 document.

Regards

Francis.Dupont@xxxxxxxxxxxxxxxx

PS: I have to refresh the draft-dupont-ipsec-mipv6-01.txt too. I'm
looking for co-authors...

Follow-Ups:
- Re: peer address protection and NAT Traversal
  - From: Charlie_Kaufman
- Re: peer address protection
  - From: Charlie_Kaufman

Prev by Date: Re: Proposed text changes to ESPbis and AHbis for multicast support
Next by Date: ike2 ambiguities?
Previous by thread: Re: Counter Mode: Proposed Way Forward
Next by thread: Re: peer address protection
Index(es):
- Date
- Thread