|
Last week NISCC tried to contact us regarding a new vulnerability in the IPsec protocol. While we were still trying to contact NISCC, they published
their NISCC Vulnerability Advisory IPSEC 004033, which has now found its way to journalists
everywhere, such as on News.com and Slashdot whom are all interpreting NISCC's report as "IPsec has a major security hole". Unfortunately (or rather fortunately), this
interpretation is completely wrong.
What the advisory is basically saying is that IPsec encryption (specifically ESP in
tunnel mode) without authentication is vulnerable to various attacks. This has always
been known. In fact, Openswan does not allow anyone to create such an IPsec connection.
If NISCC had done a little bit of research, or had spend a little bit more time trying
to contact us, they would have known this was a rather non-issue for Openswan.
From openswan-2/programs/pluto/spdb_struct.c:
notification_t parse_ipsec_sa_body(
[...]
switch (esp_attrs.auth)
{
case AUTH_ALGORITHM_NONE:
if (!ah_seen)
{
DBG(DBG_CONTROL | DBG_CRYPT
, DBG_log("ESP from %s must either have AUTH or be combined with AH"
, ip_str(&c->spd.that.host_addr)));
continue; /* try another */
}
break;
[...]
Openswan-1 contains similar code in openswan-1/pluto/spdb.c
|
