Hi all, It was suggested in [1] that pre-shared keys ought to provide a partial defense against downgrade attacks, and that we should note this in draft-smyslov-ipsecme-ikev2-downgrade-prevention. I've put up a PR for this and would appreciate feedback from the WG: https://github.com/smyslov/ikev2-downgrade-prevention/pull/7
A couple of things to clarify from the previous thread: 1. Valery pointed out that the use of a pre-shared key is usually negotiated by an extension, and this negotiation is itself subject to downgrade attack. It is therefore necessary for the use of the pre-shared key to be mandatory. 2. I claimed that RFC 8784 would not provide forward secrecy in light of this attack [2]. I'm now less certain about this: the pre-shared key ought to provide sufficient protection against the attack as long as it's mixed in prior to the IKE_AUTH (and IKE_INTERMEDIATE?) exchange. I apologize if I inadvertently mislead anyone here. Best, Chris P. [1] https://mailarchive.ietf.org/arch/msg/ipsec/7SJIUgJuOvGcKimdEkJaD-qDWu0/ [2] https://mailarchive.ietf.org/arch/msg/ipsec/NrOhC8pHldOUj-0DeHt7l7-v_20/
_______________________________________________ IPsec mailing list -- [email protected] To unsubscribe send an email to [email protected]
