Bill Sommerfeld's Weblog

Still Under Construction. Watch for falling objects

All | General | IETF | IPsec | Music | OpenSolaris | Solaris

« Stealing my thunder. | Main | On the conversion of... »
20050512 Thursday May 12, 2005

Old News (encryption without integrity protection may not yield confidentiality) As one of Sun's IPsec developers, I've been getting queries regarding a recent advisory from a UK agency regarding common mistakes made when configuring IPsec-based VPN tunnels.  This advisory has gotten some press coverage, but isn't really news. 

I first heard about it from Steve Bellovin at the IETF meeting in Danvers, Massachusetts over 10 years ago; he subsequently published "Problem Areas for the IP Security Protocols" describing this flaw.

And, if you try to set this up using Solaris's IPsec, you get warned:

# ifconfig ip.tun0 plumb encr_algs aes
ifconfig: WARNING - tunnel with only ESP and potentially no authentication.

I hope other vendors will add similar warnings now..
(2005-05-12 14:46:24.0) Permalink Comments [1]

Trackback URL: http://blogs.sun.com/sommerfeld/entry/old_news_encryption_without_integrity
Comments:

[Trackback] Must be a slow week in security research land. First "news" that IPSec could be configured insecurely! which IPSec implementors have known about for ages and had already taken steps to ensure the user was warned if AH was not configured. Then a s...

Posted by Paul Jakma's Weblog on May 13, 2005 at 07:50 PM EDT #

Post a Comment:

Name:
E-Mail:
URL:

Your Comment:

HTML Syntax: NOT allowed

Calendar

« November 2009
SunMonTueWedThuFriSat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
     
       
Today

RSS Feeds

XML
All
/General
/IETF
/IPsec
/Music
/OpenSolaris
/Solaris

Search

Links


Navigation


blogs.sun.com
Weblog
zorch
Login