Kowsik Guruswamy, co-founder and CTO, Mu Dynamics
November 05, 2008
Threat of the month

Attack on IKEv2

What is it?

IPsec-based VPNs secure communication over public network infrastructures for remote workers. Before the VPN can protect the traffic, a precise sequence of complex events must occur: the user is identified and authorized, then a session key is securely negotiated. The final key must only be known to the two involved parties.

How does it work?

The complex protocol that performs these tasks is known as Internet Key Exchange (IKE, currently IKEv2). It derives session keys that permit Internet Protocol traffic (IPv4 or IPv6) to be encrypted.

Should I be worried?

This complexity is real. An unauthenticated attacker could crash strongSwan [open source IPsec-based VPN solution for Linux] using only the first IKEv2 packet.

How can I prevent it?

The best defense is to upgrade to the patched version of strongSwan. All IKEv2 implementations should be subjected to variations on real-world service-level traffic throughout the deployment life cycle, continuously establishing that they tolerate unexpected or invalid inputs without experiencing service degradation or downtime.

From the November 2008 Issue of SCMagazine »
Similar Articles
close

Next Article in Features

More in Features

Behind the scenes: Privacy and data-mining

Behind the scenes: Privacy and data-mining

With data-mining firms harvesting personal information from online activity, privacy advocates, if not yet consumers, are alarmed, reports James Hale.

The great divide: Reforming the CFAA

The great divide: Reforming the CFAA

Aaron Swartz's death inspired Rep. Zoe Lofgren to want to reform the federal anti-hacking law, but some security pros worry this would sterilize a potent enforcement weapon, reports Dan Kaplan.

Suspect everything: Advanced threats in the network

Suspect everything: Advanced threats in the network

Are there ways to catch sophisticated malware that hides in trusted processes and services? Deb Radcliff finds out.