Old News (encryption without integrity protection may not yield confidentiality)

As one of Sun's IPsec developers, I've been getting queries regarding a recent advisory from a UK agency regarding common mistakes made when configuring IPsec-based VPN tunnels.  This advisory has gotten some press coverage, but isn't really news. 

I first heard about it from Steve Bellovin at the IETF meeting in Danvers, Massachusetts over 10 years ago; he subsequently published "Problem Areas for the IP Security Protocols" describing this flaw.

And, if you try to set this up using Solaris's IPsec, you get warned:

# ifconfig ip.tun0 plumb encr_algs aes
ifconfig: WARNING - tunnel with only ESP and potentially no authentication.


I hope other vendors will add similar warnings now..
Comments:

[Trackback] Must be a slow week in security research land. First "news" that IPSec could be configured insecurely! which IPSec implementors have known about for ages and had already taken steps to ensure the user was warned if AH was not configured. Then a s...

Posted by Paul Jakma's Weblog on May 13, 2005 at 12:50 PM EDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

sommerfeld

Search

Top Tags
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today