[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Secure legacy authentication for IKEv2
-----BEGIN PGP SIGNED MESSAGE-----
I didn't understand Dan's scenario, so I asked him if this was what he meant.
So I'll repost it:
the scenario is:
EAPclient ----- some transport ---- man-in-the-middle ====IKEv2==== gateway
i.e. web-bunny ebay.su whitehouse.gov
Web bunny thinks she is opening her wallet to buy stuff from some new ebay-like
site, and in fact ebay.su uses the credentials to build themselves an IPsec
tunnel to the web-bunny's place of work.
Is this the attack? It seems to be because there is no binding in the EAP
inner pieces to something like the IKEv2 cookies or vica-versa.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBPhHxIIqHRg3pndX9AQEvdwQAhNhU/WLLVmSiWiiA4+DWg+cwN0ytI+l0
+bZjNKiShxLcSWTojX1TUbJ6yot6KJUYg+PnZb/jrbpmSMSYyfck1JIKmi9190Hf
LgFdshz1jQtU71ZucRFa8plBJhti+qRffqrvQI5lgt1py0q62AalUhYZu2IB12B/
Mj78eDLIUX8=
=/uHl
-----END PGP SIGNATURE-----