Hi Paul,
On Wed, 16 Mar 2016, Michael Richardson wrote:
Tero Kivinen <[email protected]> wrote:
> What we could say in the DDoS draft is to add saying that IKEv1
> protocol is obsoleted, and will be common avenue for the DDoS attacks,
> and because of that it MUST be disabled.
> Or perhaps we need the IKEv1 considered harmful draft /
> ikev1-diediediediedie...
Yes, I would say so.
I'd even suggest that maybe it needs a CVE against products that have IKEv1
turned on by default.
No, because it is perfectly possible to implement IKEv1 without this
problem. Libreswan is moving towards that, see:
https://lists.libreswan.org/pipermail/swan-dev/2016-March/001394.html
Making only the initiator be responsible for retransmissions is possible
in the IKEv1 Main Mode. However, it is impossible in Aggressive Mode
(and in Quick Mode too, although it is irrelevant here).
The problem is that the last message comes from the initiator, and if this
message
got lost, the initiator never knew about it it unless the responder retransmits
the response
to the very first message from the initiator. It's an immanent feature of IKEv1
caused by odd number of messages in these exchanges. It can't be solved.
And besides the possibility of amplification attack, IKEv1 has so many
problems, that the only reason it is still used is maintaining interoperability
with older products.
Regards,
Valery.
Paul
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
