[Cryptography] IKE/ISAKMP/IPsec complexity by design

Paul Wouters paul at cypherpunks.ca
Sat Oct 6 23:11:05 EDT 2018

On Wed, 3 Oct 2018, Florian Weimer wrote:

> I have yet to see a large-scale IPsec deployment where users cannot
> attack each other by impersonating the gateway.

Almost all IKEv2 deployments do now. Those specifically use a certificate
on the gateway, and an EAP based user/password sceme on the client side.
IKEv1 did not allow asymmetric authentication, so indeed people just
used PSK because running a CA is too hard and expensive. But now all
all those people with VPN services on their phone (which almost always
use IKEv2 now) are not vulnerable to this.

It takes time for enterprises to catch up, I agree. And IKEv2 has
existed for over a decade, so doubly sad.

> Of course, that's not the fault of the IPsec protocol as standardized
> by the IETF because the IETF refused to cover that use case.  But if
> the protocol does not match user requirements and users start looking
> for dodgy alternatives, that should tell us something about the
> protocol, too.

The protocol has been able to do X.509 plus user/password using IKEv1
XAUTH for like 20 years. If you want to point fingers at who is to blame
for PSK rollouts everywhere, blame the X.509 people and openssl usage. It
is still a giant investment in time and money to get an enterprise
CA going, and there is no good reason for that. It is the same reason
people didn't do SSL per default until ACME came along and automated it
(ok, money also mattered there)


More information about the cryptography mailing list