"ISAKMP" flaws?

Paul Hoffman paul.hoffman at vpnc.org
Tue Nov 15 12:46:16 EST 2005


At 10:14 AM -0500 11/15/05, Perry E. Metzger wrote:
>Some articles have been appearing in various web sites about flaws in
>IPSec key negotiation protocols, such as this one:
>
>http://news.com.com/VPN+flaw+threatens+Internet+traffic/2100-1002_3-5951916.html
>
>I haven't been following the IPSec mailing lists of late -- can anyone
>who knows details explain what the issue is?

The advisory itself is at 
<http://www.uniras.gov.uk/niscc/docs/br-20051114-01013.html?lang=en>. 
Note that the abstract is "Multiple Vulnerability Issues in 
Implementation of ISAKMP Protocol", with emphasis on "Implementation 
of". It appears that this is *not* a problem with ISAKMP or IKE, but 
instead only a problem with some implementations. A summary would be 
"when some IKEv1 implementations are sent certain malformed messages, 
they stop, reboot, or possibly do other bad things".

Given that they started this research with sending malformed SNMP 
packets to SNMP-aware systems (with similar results), it is safe to 
extrapolate the results to implementations of nearly any protocol to 
varying extents. It is likely that this applies to IKEv2 as well, but 
using differently-malformed packets. It is also likely that it 
applies to some SSL/TLS implementations, of course using very 
different malformed packets.

--Paul Hoffman, Director
--VPN Consortium

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list