On Fri, 11 Aug 2017, David Schinazi wrote:

1) Active man-in-the-middle attack against the initiator
An attacker that can intercept and spoof packets can complete the SA_INIT part 
of the exchange with both sides and get the initiator to disclose its IDi (and 
PPK_id). This allows an attacker to fingerprint devices and/or users.

One of the two will have to show ID before the other can make a decision
(before revealing itself) if it sees an attacker or a valid endpoint.
There have been suggestions in the past (eg BTNS with channel binding)
but no one thought it was worth the extra round trips. In theory you
could still do this using NULL-AUTH on the client, which authenticates
the server without losing any privacy and then running a second
authentication to 'upgrade' the client.

2) Passive off-path attack against a "hidden" responder
Today an IKEv2 server cannot hide the fact that it exists - the initiator's 
SA_INIT is not authenticated so the responder must respond to it even if it is 
forged, leaking the fact that it is running an IKEv2 server. Hypothetically 
speaking, if one were to run IKEv2 over TLS and sharing port 443 with a web 
server to obfuscate the fact that it is using IKEv2, an attacker could open a 
TLS connection and sending an SA_INIT to divulge the fact that this HTTPS 
server also supports IKEv2.

Maybe we should run DH on all webserver's for IKE :)

Straw man Proposal:


I believe this proposal does not reduce the security properties of the current 
draft, it also does not leak any information to any party that does not possess 
PPK, and it mitigates the attack vectors discussed above.

What are your thoughts?

I think the tor people will tell you that you would still be able to
fingerprint this enough to tell it is IKE over TLS.

I'd also prefer a mechanism not tied to PPKs. Those are supposed to be
a bandaid that wouldn't be used anymore in the future where we have
quantum safe algorithms.


IPsec mailing list

Reply via email to