Aaron Zauner azet at azet.org
Thu Nov 14 01:52:54 CET 2013


We’ll need to find someone with proper knowledge of IPSEC, IKE and so on. For example: in most commercial network vendor gear you can’t disable DES, Triple-DES and a shitload of other insecure algorithms due to it being standardized in IPSEC. Which can result in desasterous downgrade attacks. I did some research after I found out that you can’t disable those in Cisco gear (https://twitter.com/a_z_e_t/status/398488121601310720/photo/1) and: I didn’t believe it at first but you seem to be IPSEC incompatable if you do not do that!  I mean vendors really do that despite selling this stuff as a “security” appliance. As far as I can tell either IPSEC needs to be reviewed or; more effective - vendors should just drop support and cancel sessions correctly before they get etstablished with almost plaintext.

I might have mentioned this before: actually the same holds true for the NULL cipher. I’m not shitting you. John Gilmore postet this about the IPSEC standardization process recently to the cryptography mailing list: http://www.mail-archive.com/cryptography@metzdowd.com/msg12325.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1091 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20131114/7b8c42c6/attachment.sig>

More information about the Ach mailing list