Re: Secure legacy authentication for IKEv2

[Derrell Piper <ddp@electric-loft.org>]

Bernard,

I don't believe so because the server is fully authenticated by the 
client before the client needs to begin speaking the legacy 
authentication protocol and there's no way that a client can be induced 
to begin the legacy authentication without first authenticating the 
server.  If the server authentication fails after message two, the 
client MUST immediately terminate the IKE exchange.  (The client is 
presumed to be configured either with a set of trusted public keys or 
with a set of trusted root certificates.)  You can't run just half of 
the exchange.

For the binding attack (as I understand it) to be viable, an active 
attacker would have to bring up the SLA IKE tunnel through message two 
and then somehow induce someone to speak one of the legacy 
authentication methods to it.  But for that to happen, the attacker 
would have to complete the first two messages with the intended victim 
and in doing so, the client would learn that the attacker wasn't 
trusted.  (We were not concerned with trusted gateways impersonating 
each other.)

So please say more...

Derrell

On Friday, December 20, 2002, at 03:48 PM, Bernard Aboba wrote:

> Isn't the current version of SLA vulnerable to the same attack? I 
> don't see anywhere in the spec where a "binding" is carried out. In 
> fact, this would not be possible with the methods you're supporting, 
> because none of them generate keys.