Re: [IPsec] Additional charter items 4/4: Mitigating privacy concerns

+1 to adding privacy text to the charter. This seems like it will be increasingly relevant if we’re doing host-to-host communication and we want to protect the privacy of various peers. —Tommy > On Feb 16, 2018, at 12:09 PM, Paul Wouters wrote: > > On Fri, 16 Feb 2018, Tero

Re: [IPsec] Additional charter items 4/4: Mitigating privacy concerns

Yoav Nir writes: > > The reason why we defined IKEv2 so that initiator provides identity > > first, was that if responder provides identity first, then attackers > > can make probe attacks and collect identities of the remote peers, > > even when the IPsec is not currently in use. I.e., like we

Re: [IPsec] Additional charter items 4/4: Mitigating privacy concerns

On Fri, 16 Feb 2018, Tero Kivinen wrote: IKEv2 is currently vulnerable to the two following privacy concerns: 1) It's not possible to run a server that obfuscates IKEv2/IPsec using TLS. 2) The privacy of the initiator's identity in the presence of a man in the middle attacker is not

Re: [IPsec] Additional charter items 4/4: Mitigating privacy concerns

Hi Yoav, responses inline. > On Feb 16, 2018, at 10:25, Yoav Nir wrote: > >> On 16 Feb 2018, at 20:13, Tero Kivinen wrote: >> >> 1) It's not possible to run a server that obfuscates IKEv2/IPsec using >> TLS. >> >> Today thanks to RFC 8229 it is

Re: [IPsec] Additional charter items 4/4: Mitigating privacy concerns

> On 16 Feb 2018, at 21:09, Tero Kivinen wrote: > > Yoav Nir writes: >>> 2) The privacy of the initiator's identity in the presence of a man in >>> the middle attacker is not protected. >>> >>> Today an attacker with full control of the network can receive the >>> IDi/IDr

Re: [IPsec] Additional charter items 4/4: Mitigating privacy concerns

Yoav Nir writes: > > 2) The privacy of the initiator's identity in the presence of a man in > > the middle attacker is not protected. > > > >Today an attacker with full control of the network can receive the > >IDi/IDr sent by the initiator in the first AUTH packet. We should > >add

Re: [IPsec] Additional charter items 4/4: Mitigating privacy concerns

> On 16 Feb 2018, at 20:13, Tero Kivinen wrote: > > This item does not have charter text yet, we do have text which > explains what the problem is, but I think it requires some > reformatting to fit as charter text. > > The problem description is: > >

[IPsec] Additional charter items 4/4: Mitigating privacy concerns

This item does not have charter text yet, we do have text which explains what the problem is, but I think it requires some reformatting to fit as charter text. The problem description is: -- IKEv2 is currently vulnerable to the