[prev in list] [next in list] [prev in thread] [next in thread]
List: ipsec
Subject: Re: [IPsec] bid down to IKEv1
From: Paul Wouters <paul () nohats ! ca>
Date: 2022-11-02 18:30:03
Message-ID: 2486DCB1-9A41-4245-82E9-AFE390F8F462 () nohats ! ca
[Download RAW message or body]
On Nov 2, 2022, at 17:49, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
>
> 002 "dooku--ipv6" #14: Bid-down to IKEv1 attack detected, attempting to rekey \
> connection with IKEv2
> I've NEVER seen a real one of these in the field. I'm on a Eurostar train's wifi.
> Could it be some helpful NAT44?
Likely bad matching on magic bytes that include the exchange type to block VPNs?
That code is relying on vendor id's in IKEv1, but those payloads are not signed in \
IKEv1. If there was a a real attack they would also strip the CANv2 custom vendorid. \
That is one of the reasons why libreswan removed this detection code.
Paul
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic