[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Choosing between IKEv2 and JFK



> Dan Harkins <dharkins@tibernian.com> writes:
> > Caching authenticator blobs and blacklisting the naughty 
> ones will not
> > stop this attack.
> Right, I see your point. I'd forgotten about the cookie pre-fetch
> phase. 
> 
> I agree that this attack exists with JFK and not with IKEv2. I'm not
> sure how serious it really is, but it seems like it would be easy to
> stop. JFK guys, do you have some reason not to include the initiators
> IP in the authenticator?

Like including it would destroy NAT interop?

If the packet goes through a NAT the initiator does not know the IP 
address that the packets it sends will have when they arrive.

		Phill

Phillip Hallam-Baker (E-mail).vcf