[Ach] IPSEC

Sun Nov 17 13:26:14 CET 2013

On Thu, Nov 14, 2013 at 01:52:54AM +0100, Aaron Zauner wrote:

> We’ll need to find someone with proper knowledge of IPSEC, IKE and
> so on. 

I tried, please pull.

There's a few TODOs in there:

- pre-shared key lenght recommendations

- lifetime recommendations for phase 1 & 2

also, what about the blowfish and CAST ciphers?

> For example: in most commercial network vendor gear you can’t
> disable DES, Triple-DES and a shitload of other insecure algorithms
> due to it being standardized in IPSEC. Which can result in
> desasterous downgrade attacks.

AFAICT, you need to *implement* those to be compliant, but you can
restrict the suites you offer to a certain peer to a single one, so
downgrades should be prevented.

I have not, however, tried to verify this by analyzing IKEs.

cm.

-- 
Christian Mock                          Wiedner Hauptstr. 15
Senior Security Engineer                1040 Wien
CoreTEC IT Security Solutions GmbH      +43-1-5037273
FN 214709 z

.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
CoreTEC: Web Application Audit - Damit so etwas nicht passiert!

http://heise.de/-1260559

.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.