On Fri, Jul 28, 2006 at 09:32:09AM -0700, Spruell,
Darren-Perot wrote:
> Word is, there is a flaw in IKEv1 that allows for an
attacker to create IKE
> sessions faster than previous attempts expire. The
security research firm
> who found the flaw only lists Cisco VPN devices as
being vulnerable while
> Cisco maintains that the flaw is in the IKE protocol
itself.
>
> Research Firm:
> http://www.nta-monitor.com/posts/2006/07/cis
co-concentrator-dos.html
>
> Cisco's Response:
> http://www.cisco.com/en/US/tech/tk58
3/tk372/tsd_technology_security_response
> 09186a00806f33d4.html
>
> I hesitate to trust Cisco's response fully, as the
behavior sounds like
> something that to me would be implementation dependent.
>
> Is it legitimate to fear that this kind of attack could
succeed against
> isakmpd(8) or other IKE implementations of other
projects, for example? If
> so, what if any controls would be effective in defense?
This is indeed a flaw of the ike protocol and rather old
news, see
the article mentioned in isamkpd.conf(8), section CAVEATS.
Regarding dos mitigation, see http://www
.openbsd.org/papers/ikepaper.ps.
|
chw.edu