> Dan Harkins <dharkins@tibernian.com> writes: > > Caching authenticator blobs and blacklisting the naughty > ones will not > > stop this attack. > Right, I see your point. I'd forgotten about the cookie pre-fetch > phase. > > I agree that this attack exists with JFK and not with IKEv2. I'm not > sure how serious it really is, but it seems like it would be easy to > stop. JFK guys, do you have some reason not to include the initiators > IP in the authenticator? Like including it would destroy NAT interop? If the packet goes through a NAT the initiator does not know the IP address that the packets it sends will have when they arrive. Phill
Phillip Hallam-Baker (E-mail).vcf