peer address protection

Francis Dupont <Francis.Dupont@enst-bretagne.fr> Tue, 07 January 2003 18:53 UTC

Message-Id: <200301071741.h07HfNof046164@givry.rennes.enst-bretagne.fr>
From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
To: ipsec@lists.tislabs.com
Subject: peer address protection
Date: Tue, 07 Jan 2003 18:41:23 +0100
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk

Peer addresses (as defined in draft-ietf-ipsec-pki-profile-01.txt) are
not protected in IKE (not always in IKEv1, not at all in IKEv2 with
revised identities). This opens a security hole, not against IKE itself,
but using IKE to divert traffic (i.e., not a property we'd like for a
security protocol).
 The I-D editor has just announced the new version of my I-D about
the transient pseudo-NAT attack and its application to Mobile IPv4
(documented in the security section of the NAT traversal extension)
and to IKE... Its name is draft-dupont-transient-pseudonat-01.txt.
 I believe we should fix the issue (the security flaw) for the next
version of the IKEv2 document.

Regards

Francis.Dupont@enst-bretagne.fr

PS: I have to refresh the draft-dupont-ipsec-mipv6-01.txt too. I'm
looking for co-authors...

peer address protection Francis Dupont
Re: peer address protection Charlie_Kaufman
Re: peer address protection and NAT Traversal Charlie_Kaufman
Re: peer address protection and NAT Traversal Francis Dupont
RE: peer address protection and NAT Traversal Jayant Shukla
Re: peer address protection and NAT Traversal Michael Richardson
Re: peer address protection and NAT Traversal Francis Dupont
Re: peer address protection and NAT Traversal Ari Huttunen
Re: peer address protection and NAT Traversal Ari Huttunen
Re: peer address protection and NAT Traversal Francis Dupont
Re: peer address protection and NAT Traversal Ari Huttunen
RE: peer address protection and NAT Traversal Jayant Shukla
RE: peer address protection and NAT Traversal Jayant Shukla
Re: peer address protection and NAT Traversal Francis Dupont