+1 to adding privacy text to the charter. This seems like it will be
increasingly relevant if we’re doing host-to-host communication and we want to
protect the privacy of various peers.
—Tommy
> On Feb 16, 2018, at 12:09 PM, Paul Wouters wrote:
>
> On Fri, 16 Feb 2018, Tero
Yoav Nir writes:
> > The reason why we defined IKEv2 so that initiator provides identity
> > first, was that if responder provides identity first, then attackers
> > can make probe attacks and collect identities of the remote peers,
> > even when the IPsec is not currently in use. I.e., like we
On Fri, 16 Feb 2018, Tero Kivinen wrote:
IKEv2 is currently vulnerable to the two following privacy concerns:
1) It's not possible to run a server that obfuscates IKEv2/IPsec using
TLS.
2) The privacy of the initiator's identity in the presence of a man in
the middle attacker is not
Hi Yoav, responses inline.
> On Feb 16, 2018, at 10:25, Yoav Nir wrote:
>
>> On 16 Feb 2018, at 20:13, Tero Kivinen wrote:
>>
>> 1) It's not possible to run a server that obfuscates IKEv2/IPsec using
>> TLS.
>>
>> Today thanks to RFC 8229 it is
> On 16 Feb 2018, at 21:09, Tero Kivinen wrote:
>
> Yoav Nir writes:
>>> 2) The privacy of the initiator's identity in the presence of a man in
>>> the middle attacker is not protected.
>>>
>>> Today an attacker with full control of the network can receive the
>>> IDi/IDr
Yoav Nir writes:
> > 2) The privacy of the initiator's identity in the presence of a man in
> > the middle attacker is not protected.
> >
> >Today an attacker with full control of the network can receive the
> >IDi/IDr sent by the initiator in the first AUTH packet. We should
> >add
> On 16 Feb 2018, at 20:13, Tero Kivinen wrote:
>
> This item does not have charter text yet, we do have text which
> explains what the problem is, but I think it requires some
> reformatting to fit as charter text.
>
> The problem description is:
>
>
This item does not have charter text yet, we do have text which
explains what the problem is, but I think it requires some
reformatting to fit as charter text.
The problem description is:
--
IKEv2 is currently vulnerable to the