From: Christopher Patton <[email protected]> Sent: Tuesday, July 29, 2025 2:22 PM To: Scott Fluhrer (sfluhrer) <[email protected]> Cc: ipsec <[email protected]> Subject: [IPsec] Re: draft-smyslov-ipsecme-ikev2-downgrade-prevention
First, there is a stronger variant not described in -00 that doesn't require compromising either of the victim peers. This attack is described in the original thread [1] and we have also added a description of the draft [2]. To mount the attack, rather than compromise the victim initiator, the attacker can be any initiator that the victim responder is configured to speak to. The key observation is that the downgrade happens before the initiator identifies itself to the peer. This means the attacker can simply authenticate itself with its own signing key. We refer to this as an "identity misbinding" attack in the draft. [HJ] so there are 3 parties: X (initiator), Y (responder) and A (attacker), R is configured to speak both X and A, but I would expect X is configured to speak only to Y, for example X typically would check received certificate's SAN or subject to see if it matches the Y's FQDN, so if A can't forge Y's certificate, wouldn't X just fail the setup after checking received certificate?
_______________________________________________ IPsec mailing list -- [email protected] To unsubscribe send an email to [email protected]
