On Fri, Jul 28, 2006 at 09:32:09AM -0700, Spruell, Darren-Perot wrote: > Word is, there is a flaw in IKEv1 that allows for an attacker to create IKE > sessions faster than previous attempts expire. The security research firm > who found the flaw only lists Cisco VPN devices as being vulnerable while > Cisco maintains that the flaw is in the IKE protocol itself. > > Research Firm: > http://www.nta-monitor.com/posts/2006/07/cisco-concentrator-dos.html > > Cisco's Response: > http://www.cisco.com/en/US/tech/tk583/tk372/tsd_technology_security_response > 09186a00806f33d4.html > > I hesitate to trust Cisco's response fully, as the behavior sounds like > something that to me would be implementation dependent. > > Is it legitimate to fear that this kind of attack could succeed against > isakmpd(8) or other IKE implementations of other projects, for example? If > so, what if any controls would be effective in defense?
This is indeed a flaw of the ike protocol and rather old news, see the article mentioned in isamkpd.conf(8), section CAVEATS. Regarding dos mitigation, see http://www.openbsd.org/papers/ikepaper.ps.
