[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Do ipsec vendors care about privacy?

To: Antonio Forzieri <antonio.forzieri@cefriel.it>
Subject: Re: Do ipsec vendors care about privacy?
From: Derek Atkins <derek@ihtfp.com>
Date: 10 Apr 2003 14:06:21 -0400
Cc: ipsec@lists.tislabs.com
In-Reply-To: <3E93F27F.1010403@cefriel.it>
References: <Pine.GSO.4.21.0304082335420.3399-100000@ee.technion.ac.il><3E93F27F.1010403@cefriel.it>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1

Antonio Forzieri <antonio.forzieri@cefriel.it> writes:

> It disappoints me too.
> 
> I think that we have to ask to ourselves what price we can pay to
> obtain IDi protection.

Remember that IPsec is a peer-to-peer protocol and can always be
reversed.  So the 'client' of one protocol can be turned into the
'server' in another context.  The protection we're talking about here
is against _ACTIVE_ attacks -- we're already protected against passive
attacks.

The concern is that an attacker sees an IKE connection from 1.2.3.4
and wants to figure out who 1.2.3.4 is, so they initiate an IKE to
1.2.3.4 (they can't just watch the existing session -- IKE is
protected against passive eavesdropping).  If the responder just gives
up it's identity, then you've just lost!

-derek

-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek@ihtfp.com             www.ihtfp.com

References:
- RE: Do ipsec vendors care about privacy?
  - From: Hugo Krawczyk <hugo@ee.technion.ac.il>
- Re: Do ipsec vendors care about privacy?
  - From: Antonio Forzieri <antonio.forzieri@cefriel.it>

Prev by Date: peer address protection
Next by Date: Re: IKE V2 Open Issues
Prev by thread: Re: Do ipsec vendors care about privacy?
Next by thread: whether IKE v1 (RFC2409) supports negotiation of unidirectional policy selectors
Index(es):
- Date
- Thread