Re: Avoiding tricking IKE v2 nodes into talking v1

["David Faucher" <dfaucher@lucent.com>]

Since Vendor ID payloads are not authenticated,
wouldn't this scheme be suspectible to an active 
attack where the IKEv1 vendor ID payload is removed.

----- Original Message ----- 
From: "Paul Hoffman / VPNC" <paul.hoffman@vpnc.org>
To: <ipsec@lists.tislabs.com>
Sent: Monday, August 26, 2002 12:48 PM
Subject: Re: Avoiding tricking IKE v2 nodes into talking v1


| At 10:00 AM -0700 8/26/02, Dan Harkins wrote:
| >   If something really has to be done I suggest we come up with an
| >IKEv1 "vendor ID" payload that says something like "I can actually
| >speak a higher version of IKE". This payload would be sent in the
| >5th and 6th message in Main Mode or the 2nd and 3rd in Aggressive
| >Mode.
| 
| This sounds like the cleanest approach, and it matches what most 
| implementations use vendor ID payloads for.
| 
| >Most implementations can handle "vendor ID" payloads in these
| >parts of the exchanges.
| 
| If the WG is worried about this, VPNC could probably test this fairly 
| quickly among our members' products.
| 
| --Paul Hoffman, Director
| --VPN Consortium