On Thu, Jul 02, 2015 at 08:04:37PM +0300, Yoav Nir wrote:
> >> Not sure I follow. Mallory publishes
> >> - mallory.example.com IN A 192.0.2.5
> >> - mallory.example.com IN TLSA ....
Mallory publishes her own TLSA record for keys she possesses.
> >> But there's also
> >> - alice.example.com IN A 192.0.2.5
> >> - alice.example.com IN TLSA ....
Alice's keys are ignored once Mallory's PAD entry for 192.0.2.5
supercedes or displaces Alices.
> >> So Mallory can push people looking for his IPsec entity to go to Alice's
> >> IPsec entity.
No, Mallory can cause people trying to connect to Alice's IP address
to use Mallory's keys.
> > No, Mallory might be able to hijack the traffic keys to 192.0.2.5
> > (Alice's IP address), and then MiTM the traffic in question (BGP
> > attack or equivalent). If there's no risk of MiTM, just do anon-DH
> > and you're done, no need for a PKI.
> >
>
> It's the Internet. MitM is always a risk. But I?m still not getting it.
> IPsec traffic keys are negotiated with the IKE protocol, which provides
> both authentication and key exchange with D-H. How could Mallory hijack
> traffic keys?
The IKE protocol negotiation takes place with Mallory, standing in
for Alice.
> If Mallory doesn't have the private key that matches the
> public key in Alice's TLSA record ([1]) then IKE will fail.
Alice's key is not used.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
