[Ach] IPSEC
christian mock
cm at coretec.at
Sun Nov 17 13:26:14 CET 2013
On Thu, Nov 14, 2013 at 01:52:54AM +0100, Aaron Zauner wrote:
> We’ll need to find someone with proper knowledge of IPSEC, IKE and
> so on.
I tried, please pull.
There's a few TODOs in there:
- pre-shared key lenght recommendations
- lifetime recommendations for phase 1 & 2
also, what about the blowfish and CAST ciphers?
> For example: in most commercial network vendor gear you can’t
> disable DES, Triple-DES and a shitload of other insecure algorithms
> due to it being standardized in IPSEC. Which can result in
> desasterous downgrade attacks.
AFAICT, you need to *implement* those to be compliant, but you can
restrict the suites you offer to a certain peer to a single one, so
downgrades should be prevented.
I have not, however, tried to verify this by analyzing IKEs.
cm.
--
Christian Mock Wiedner Hauptstr. 15
Senior Security Engineer 1040 Wien
CoreTEC IT Security Solutions GmbH +43-1-5037273
FN 214709 z
.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
CoreTEC: Web Application Audit - Damit so etwas nicht passiert!
http://heise.de/-1260559
.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
More information about the Ach
mailing list