Attack on IKEv2

What is it?

IPsec-based VPNs secure communication over public network infrastructures for remote workers. Before the VPN can protect the traffic, a precise sequence of complex events must occur: the user is identified and authorized, then a session key is securely negotiated. The final key must only be known to the two involved parties.

How does it work?

The complex protocol that performs these tasks is known as Internet Key Exchange (IKE, currently IKEv2). It derives session keys that permit Internet Protocol traffic (IPv4 or IPv6) to be encrypted.

Should I be worried?

This complexity is real. An unauthenticated attacker could crash strongSwan [open source IPsec-based VPN solution for Linux] using only the first IKEv2 packet.

How can I prevent it?

The best defense is to upgrade to the patched version of strongSwan. All IKEv2 implementations should be subjected to variations on real-world service-level traffic throughout the deployment life cycle, continuously establishing that they tolerate unexpected or invalid inputs without experiencing service degradation or downtime.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.