> On Jul 2, 2015, at 6:48 PM, Viktor Dukhovni <ietf-d...@dukhovni.org> wrote: > > On Thu, Jul 02, 2015 at 06:40:45PM +0300, Yoav Nir wrote: > >>> What prevents IP address hijacking (mallory.example publishes >>> alice.example's IP address and now mallory's IPSEC keys are used >>> to encrypt traffic to alice)? >> >> Not sure I follow. Mallory publishes >> - mallory.example.com IN A 192.0.2.5 >> - mallory.example.com IN TLSA .... >> >> But there's also >> - alice.example.com IN A 192.0.2.5 >> - alice.example.com IN TLSA .... >> >> So Mallory can push people looking for his IPsec entity to go to Alice's >> IPsec entity. > > No, Mallory might be able to hijack the traffic keys to 192.0.2.5 > (Alice's IP address), and then MiTM the traffic in question (BGP > attack or equivalent). If there's no risk of MiTM, just do anon-DH > and you're done, no need for a PKI. >
It’s the Internet. MitM is always a risk. But I’m still not getting it. IPsec traffic keys are negotiated with the IKE protocol, which provides both authentication and key exchange with D-H. How could mallory hijack traffic keys? If Mallory doesn’t have the private key that matches the public key in Alice’s TLSA record ([1]) then IKE will fail. Yoav [1] I’m assuming here use of the same TLSA record as in TLS, but it could be another type of record _______________________________________________ dane mailing list dane@ietf.org https://www.ietf.org/mailman/listinfo/dane