[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE



>>>>> "Franck" == Franck Le <Franck.Le@nokia.com> writes:

 Franck> Hi, I have some questions on IKE.  Actually I was wondering
 Franck> if in the Main Mode, protection against man in the middle
 Franck> attacks is provided.  Since the first messages are sent in
 Franck> clear mode and without any authentication, can't a Bad Guy
 Franck> modify for example the SA payload ? That can bring to a
 Franck> denial of service.  So if it the case, is there a way to
 Franck> protect against man in the middle attacks ?

The "man in the middle" that IKE protects against is a man in the
middle who wants to listen to your traffic, or modify it without being
detected.

It is impossible to define any protocol that prevents an active
attacker from deleting your traffic (or modifying it and forcing you
to discard it because the HMAC fails).  The only solution in that case
is to route around the attacker, if you can.  See Radia Perlman's PhD
thesis for more.

       paul


References: