"ISAKMP" flaws?
Paul Hoffman
paul.hoffman at vpnc.org
Tue Nov 15 12:46:16 EST 2005
At 10:14 AM -0500 11/15/05, Perry E. Metzger wrote:
>Some articles have been appearing in various web sites about flaws in
>IPSec key negotiation protocols, such as this one:
>
>http://news.com.com/VPN+flaw+threatens+Internet+traffic/2100-1002_3-5951916.html
>
>I haven't been following the IPSec mailing lists of late -- can anyone
>who knows details explain what the issue is?
The advisory itself is at
<http://www.uniras.gov.uk/niscc/docs/br-20051114-01013.html?lang=en>.
Note that the abstract is "Multiple Vulnerability Issues in
Implementation of ISAKMP Protocol", with emphasis on "Implementation
of". It appears that this is *not* a problem with ISAKMP or IKE, but
instead only a problem with some implementations. A summary would be
"when some IKEv1 implementations are sent certain malformed messages,
they stop, reboot, or possibly do other bad things".
Given that they started this research with sending malformed SNMP
packets to SNMP-aware systems (with similar results), it is safe to
extrapolate the results to implementations of nearly any protocol to
varying extents. It is likely that this applies to IKEv2 as well, but
using differently-malformed packets. It is also likely that it
applies to some SSL/TLS implementations, of course using very
different malformed packets.
--Paul Hoffman, Director
--VPN Consortium
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list