ipsec September 2010 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: Re: [IPsec] Failure Detection - Issue #190

Re: [IPsec] Failure Detection - Issue #190

From: Yoav Nir <ynir_at_nospam>
Date: Tue Sep 28 2010 - 23:07:58 GMT
To: Yaron Sheffer <yaronf.ietf@gmail.com>

It should be noted that this token protection is available only to EAP users. endpoints that authenticate with certificates or PSKs are vulnerable to a MITM enumerating the tokens.

Since issue #191 is up next (tomorrow or thursday), I won't publish a -01 version before #191 is resolved.

On Sep 28, 2010, at 3:24 PM, Yaron Sheffer wrote:

> Hi,
> I am obviously in favor of moving the QCD token to the first IKE_AUTH
> message (I opened the issue...), but I think this can only be done once
> Issue #191 is resolved, i.e. when we don't have to worry about token replay.
> Reason: the first IKE_AUTH message is susceptible to reading by an MITM
> attacker. If both IKE peers then reuse the SPI values (and therefore the
> token), the attacker will already have it.
> Thanks,
> Yaron

IPsec mailing list