One of the differences between RFC 5996 and 4306 is in the rekeying where it's
stated in RFC 5996 section 2.8:
"Note that, when rekeying, the new Child SA SHOULD NOT have different Traffic
Selectors and algorithms than the old one."
Additionally in section 1.3.3 (that also addresses rekeying)
Hi Hannes,
I agree that the example is a bit artificial and in real life
one would not use IKE/IPsec to control garage door.
At least now. But if IoT becomes ubiquitous then
who knows, probably such setup will be default
"off shelf" solution...
Regards,
Valery.
P.S. What about mutual authentic
No, that is not caused by the unauthenticated protocol, but caused by
the same device to be used with two different doors. Even if the
device would do full authentication and would verify that the door is
in his list of doors which can be opened, attacker could still do the
same thing.
Only way t
Hi Yaron,
sorry for late reply - I was on vacation.
I still think that the example is valid. The example describes the remote
opener which
opens the only door. If you want to open different doors using single opener
then you might
run into trouble you described. But this attack can be thwarted