On Fri, Jul 28, 2006 at 09:32:09AM -0700, Spruell, Darren-Perot wrote:
> Word is, there is a flaw in IKEv1 that allows for an attacker to create IKE
> sessions faster than previous attempts expire. The security research firm
> who found the flaw only lists Cisco VPN devices as being vulnerable while
> Cisco maintains that the flaw is in the IKE protocol itself.
>
> Research Firm:
> http://www.nta-monitor.com/posts/2006/07/cisco-concentrator-dos.html
>
> Cisco's Response:
> http://www.cisco.com/en/US/tech/tk583/tk372/tsd_technology_security_response
> 09186a00806f33d4.html
>
> I hesitate to trust Cisco's response fully, as the behavior sounds like
> something that to me would be implementation dependent.
>
> Is it legitimate to fear that this kind of attack could succeed against
> isakmpd(8) or other IKE implementations of other projects, for example? If
> so, what if any controls would be effective in defense?
This is indeed a flaw of the ike protocol and rather old news, see
the article mentioned in isamkpd.conf(8), section CAVEATS.
Regarding dos mitigation, see http://www.openbsd.org/papers/ikepaper.ps.
