peer address protection
Francis Dupont <Francis.Dupont@enst-bretagne.fr> Tue, 07 January 2003 18:53 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.11.6/8.11.3) with ESMTP id h07IrEo20561; Tue, 7 Jan 2003 10:53:14 -0800 (PST)
Received: by lists.tislabs.com (8.9.1/8.9.1) id MAA01217 Tue, 7 Jan 2003 12:42:07 -0500 (EST)
Message-Id: <200301071741.h07HfNof046164@givry.rennes.enst-bretagne.fr>
From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
To: ipsec@lists.tislabs.com
Subject: peer address protection
Date: Tue, 07 Jan 2003 18:41:23 +0100
X-Virus-Scanned: by amavisd-milter (http://amavis.org/) at enst-bretagne.fr
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
Peer addresses (as defined in draft-ietf-ipsec-pki-profile-01.txt) are not protected in IKE (not always in IKEv1, not at all in IKEv2 with revised identities). This opens a security hole, not against IKE itself, but using IKE to divert traffic (i.e., not a property we'd like for a security protocol). The I-D editor has just announced the new version of my I-D about the transient pseudo-NAT attack and its application to Mobile IPv4 (documented in the security section of the NAT traversal extension) and to IKE... Its name is draft-dupont-transient-pseudonat-01.txt. I believe we should fix the issue (the security flaw) for the next version of the IKEv2 document. Regards Francis.Dupont@enst-bretagne.fr PS: I have to refresh the draft-dupont-ipsec-mipv6-01.txt too. I'm looking for co-authors...
- peer address protection Francis Dupont
- Re: peer address protection Charlie_Kaufman
- Re: peer address protection and NAT Traversal Charlie_Kaufman
- Re: peer address protection and NAT Traversal Francis Dupont
- RE: peer address protection and NAT Traversal Jayant Shukla
- Re: peer address protection and NAT Traversal Michael Richardson
- Re: peer address protection and NAT Traversal Francis Dupont
- Re: peer address protection and NAT Traversal Ari Huttunen
- Re: peer address protection and NAT Traversal Ari Huttunen
- Re: peer address protection and NAT Traversal Francis Dupont
- Re: peer address protection and NAT Traversal Ari Huttunen
- RE: peer address protection and NAT Traversal Jayant Shukla
- RE: peer address protection and NAT Traversal Jayant Shukla
- Re: peer address protection and NAT Traversal Francis Dupont